A high-severity vulnerability has been discovered in a number of Cisco routers which allows threat actors to bypass authentication, gain root access to the endpoint, and even launch arbitrary commands on the underlying operating system in the second stage of the attack.
The news comes courtesy of Cisco itself, which said it wouldn’t be addressing the flaw given that it was discovered in endpoints that have reached end of life. The flaw, tracked as CVE-2023-20025, affects Cisco Small business RV016, RV042, RV042G, and RV082 routers. By sending a custom-built HTTP request to the web-based management interface of the vulnerable routers, the attackers could bypass the device’s authentication and remotely exploit it.
The attackers would then be able to leverage a second vulnerability, also newly disclosed CVE-2023-2002, to execute arbitrary commands on the device’s operating system.
Blocking important ports
The bugs are rated as “critical”, but Cisco will not be addressing it, mostly because the devices in question are no longer supported by the company. However, BleepingComputer found that RV042 and RV042G routers were available for sale until January 30, 2020, and will be enjoying the company’s support until January 31, 2025.
There are no workarounds for the flaw, but admins can disable the routers’ web-based management interface, or block access to ports 443 and 60443, which would help block potential attacks.
This is not the first time Cisco decided not to fix critical authentication bypass vulnerabilities. In September, BleepingComputer reminds, a similar flaw was discovered plaguing RV110W, RV130, RV130W, and RV2015W EoL. At the time, Cisco suggested customers move to RV132W, RV160, and RV160W.
In June, a critical remote code execution (RCE) flaw (tracked as CVE-2022-20825) was found and left unchecked.
Routers are a crucial component in data transit, and as such, are a major target for cybercriminals. Therefore, it’s not uncommon for cybersecurity researchers and OEMs to regularly find, and patch, high-severity flaws. However, unpatched flaws can wreak havoc on a network, as threat actors don’t have to discover new vulnerabilities themselves - they can just leverage what’s already common knowledge.
A major impersonation campaign is aiming to distribute the Vidar infostealer to as many endpoints as possible.
Cybersecurity researcher from SEKOIA, going under the name crep1x, discovered the campaign and rang the alarm on Twitter. In a short Twitter threat, the researcher said he discovered more than 1,300 domains, all of which impersonate major software brands to push the malware.
The brands impersonated in this campaign include AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps, to name a few. All of these impersonated brands lead to the same website, a clone of AnyDesk.
Stealing passwords and cryptocurrency
For the uninitiated, AnyDesk is a remote desktop application that gives users remote access to personal computers and allows them to transfer files and be used as a VPN.
Victims that navigate to these sites and try to download the application would be redirected to a Dropbox folder hosting the Vidar infostealer. A variant of the Arkei infostealer, Vidar is capable of stealing credit cards, login credentials, files, and grab screenshots. It is also capable of stealing cryptocurrencies, such as bitcoin or ether, from the victim’s hot wallets (software wallets).
According to BleepingComputer, which reported on crep1x’s findings earlier this week, the campaign is still active and many of the typosquatted domains are still active. Some have been shut down in the meantime. Dropbox was also notified of its services being abused to distribute malware and has killed the link in the meantime.
However, given that all of the malicious sites point to the same place, the threat actors can persist easily by simply updating the download URL.
The best way to protect against such attacks is to be extra careful when downloading software and making sure the apps are only obtained from verified sources. That being said, navigating to the AnyDesk website (as opposed to clicking a supposed AnyDesk link in an email or a social media post) is a good place to start.
Google on Wednesday was refused to be given an interim stay on the competition regulator imposing a Rs. 936-crore penalty on the US tech giant for abusing its dominant position in the market. The National Company Law Appellate Tribunal directed Google to deposit 10 percent of the fine that was slapped by the Competition Commission of India in a case related to its Pla...
The NPCI has permitted non-residents from 10 countries, including the US, Canada and UAE, to digitally transfer funds using the UPI platform from NRE/NRO accounts. The National Payments Corporation of India (NPCI) in a circular said it has been receiving requests for allowing non-residents to use international mobile numbers for transacting in Unified Payments Interf...
Imagine being trapped inside commercial hell where the only escape is your voice. Who would cook up such a thing?
According to a tweet that's been viewed over 18 million times, this was Sony's brilliant idea. I almost did a spit-take when the tweet rolled into my feed. It's not a full patent, just an illustration from one that shows someone sitting on a couch watching a TV show in which one person is shooting someone else (weird to have such unnecessary violence in a patent). A McDonald's commercial represented, naturally, by a giant hamburger appears on screen with the message, "Say 'McDonald's' to end commercial." The TV watcher enthusiastically leaps to his feet and yells "McDonald's" and then it's back to the on-screen violence.
That does look like someone is ending a commercial with their voice. But that's not the whole story.
Sony owns a patent that would force viewers to exclaim the brand name during commercials to end them. pic.twitter.com/DC3rcKvzlLJanuary 9, 2023
See more
The total lack of context around the tweet and patent drawing intrigued me. Where did this image come from? Having looked at hundreds of patents over the years, I was convinced that this was, in fact, a real patent drawing (not that someone couldn't have purposely drawn something to mimic one).
I decided to investigate if this was from a real patent. That's not as easy. There are, according to my friends at the US Patent and Trademark Office, more than 11.5M patents (not including the ones lost in a fire in 1836).
The US Patent Office has a search engine, but it doesn't always make it easy to find what you need. I tried searching on "Sony" and "Commercials" but didn't bring back anything that resembled this patent or image.
I switched to Google and searched on "sony end commercials brand name". The first result was for the popular tweet. Thanks, Google.
Scrolling down, though, I noticed articles from 2014 and 2013. All of them highlighted the same image and offered the same lack of context. On Reddit, a post devoted to the image was removed by moderators because it had "no proof/source." No one seemed to know where to find the original patent.
Turns out, though, that there is proof and a source, and I found it in Google Patents. The often-shared image is just one of 21 illustrations from Patent No. US8246454B2, "System for converting television commercials into interactive networked video games," by inventor Gary M Zalewiski.
Sony applied for the patent back in 2009. The application was granted in August 2021.
The patent is not, ostensibly, about trapping consumers in commercial hell until they jump up and yell a brand name. Here's part of the abstract:
"In one method, a broadcast or streamed commercial is accompanied by an interactive segment. A media player coupled to the broadcast or streaming media source identifies the existence of the interactive segment and presents the user with an enhanced and interactive mini-game commercial that can be played with other “viewers” in a common or disperse demographic."
Based on the description and images, this patent is about interactive and actionable commercials. You could play games within them or even order products. In one illustration, the system shows a TV connected to both a "Media Streaming Computer" and PlayStation (it looked like a PS3). The gaming console connects to an Interactive Commercial Service, which then talks on the back end to an Advertiser or one of almost a dozen networks, including NBC, CBS, Hulu, and, yes, MySpace.
Some more details on how this patent might really work.(Image credit: USPTO)
Each parent illustration or "Figure" as they're called in patents, comes with a little caption. Here's how the key image is described.
"FIG. 9 illustrates a user interacting verbally with a commercial, according to one embodiment."
I know, not much to go on.
The more detailed description of the patent, though, makes clear exactly what's happening in that illustration, and, it's even stranger than I thought.
The original meme-worthy patent illustration.(Image credit: USPTO)
I won't put the entire description here because it's too long and clearly written by someone who isn't interested in elegant prose. Instead, I'll list the steps:
Someone is watching a movie
The movie's progress bar shows that a commercial break is coming up (that's something you can see today on services like Hulu).
The commercial starts
It's interactive and triggers the on-screen display of "Say McDonald's to end commercial"
The viewer says "McDonald's (we'll never know why he chose to jump up and raise his arms).
The viewer's words are captured by a microphone on the TV
Voice recognition readers the response
The system skips the rest of the commercial
The viewer resumes watching the show
The viewer might get a reward or coupon from the commercial sponsor: i.e. McDonald's
The only wrinkle here is that this is not so much about trapping anyone in an infinite loop of commercials, it's really about triggering user engagement with the carrot of a possible reward. I mean, I'd happily yell, "Subway!" or "Cialis!" to end a commercial more quickly.
And that's the key. This was never an invention intended to create a Morbius strip of commercials that you could only leave if you spoke up. It was, in part, an interactive incentive system, perhaps the first-ever in the history of live TV broadcasts.
I sent queries to both Sony and the inventor to learn more about the status of this patent. If I hear back, I'll update this story.
It's always fun to post, share, and laugh about these standalone images but it's just as important to remember that they rarely, if ever, tell the whole story. For me, the patent is now far more interesting, if even a little weirder.
I truly cannot wait until we are all yelling at our Best TV of 2023 with a real purpose.
from TechRadar - All the latest technology news https://ift.tt/ZCncbfH
The popular Python package repository PyPI was found hosting AWS keys and malware, putting countless Python developers at risk of serious supply chain attacks.
The results come courtesy of software developer Tom Forbes, who built a tool using Rust which scanned all new packages on PyPI for AWS API keys.
The tool came back with 57 positive results, including some from Amazon, Intel, Stanford, Portland, and Louisiana University, the Australian Government, General Atomics fusion department, Terradata, Delta Lake, and Top Glove.
Minimizing the damage
"This report contains the keys that have been found, as well as a public link to the keys and other metadata about the release," Forbes said. "Because these keys are committed to a public GitHub repository, Github’s Secret Scanning service kicks in and notifies AWS that the keys are leaked."
Consequently, AWS notifies the developer of the leak and quarantines it to minimize the damages. The problem is that a tool such as this one was relatively easy to build, and while Forbes might be benign in his intentions, others may not be. Speaking to The Register, he said different keys may cause different levels of pain:
"It depends on the exact permissions given to the key itself," Forbes explained. "The key I found leaked by InfoSys [in November] had 'full admin access' which means it can do anything, and other keys I found in PyPI were ‘root keys’ which are also allowed to do anything. An attacker holding these keys would have full access to the AWS account it is linked to."
He added that GitHub’s automated key scanning is a positive step forward, but not enough to tackle the problem in its entirety:
"GitHub also cares a lot about supply chain security but they have dug themselves a hole: The way they scan for secrets involves a lot of collaboration with vendors who may disclose internal information about how keys are constructed to GitHub," he said. "This means that the regular expressions that GitHub uses to scan for secrets cannot be made public and are sensitive, which also means that third parties like PyPI are effectively unable to utilize this awesome infrastructure without sending every bit of code published on PyPI to GitHub."
While he did blame PyPI, saying the platform could do more to protect its users, he also said developers should take some responsibility for the security of their solutions. What’s more, AWS should be a part of the solution, as well, he added: "AWS has some blame to share here as well: IAM is notoriously difficult to debug and get right which leads to overly wide permissions being granted on keys."
To protect against supply chain attacks via PyPI, Forbes says organizations should reconsider their security policies.
In a no-holds-barred chat promoting his new memoir Spare, Prince Harry shares his feelings about Camilla Parker-Bowles and his relationship with his father and brother.
Hisense’s sprawling booth at CES 2023 was packed with TVs – unlike some other brands, it had its full 2023 lineup on display, with detailed specs listed for each series. All sets should all be available in spring, which is the time that manufacturers typically start rolling out new TVs.
Last year saw Hisense introduce its first mini-LED models, the U8H series, which ended up on our list of the best 4K TVs owing to its great performance for the price. For 2023, the company will incorporate mini-LED backlighting throughout its full premium ULED (quantum dot) TV lineup, with prices starting at under $500 / £410 for a 50-inch model. Along with mini-LED backlighting, each series will use the Google TV smart interface and offer gaming-centric features including up to 144Hz refresh rate, VRR, ALLM, and FreeSync Premium Pro on all save the entry-level U6K. All sets will additionally support the Wi-Fi 6E standard for speedy streaming, along with both the Dolby Vision IQ and HDR10+ high dynamic range formats.
Something of interest for US viewers is built-in ATSC 3.0 tuners found throughout the full Hisense line. We expect to see more TVs coming out in 2023 capable of handling this next-gen TV broadcasting standard, which provides support for 4K video with HDR and Dolby Atmos audio, among other features. But of the new TVs announced at CES 2023, so far only LG has confirmed that its flagship G3 4K and Z3 8K models will have built-in ATSC 3.0 tuning capability.
ULED EX
The ULED EX (shown at top) is Hisense’s flagship TV for 2023. Available only in an 85-inch screen size, its backlight comprises over 20,000 mini-LED modules. More than 5,000 local dimming zones and a 16-bit light control algorithm are used to enhance contrast and shadow detail, and peak brightness is specced at 2,500 nits. The ULED EX also has an ultra low reflection screen and a 30% wider viewing angle than standard LED-backlit TVs – a first for a Hisense set, and something I could appreciate when viewing it in person at CES.
The limited edition ULED EX has the most advanced built-in audio system to appear in a Hisense TV: 4.1.2 channels, with over 80 watts used to power the set’s seven speakers.
Hisense's new U8K series for 2023 provides twice the number of local dimming zones as 2022's U8H models.(Image credit: Future)
U8K Series
Last year’s U8H series paved the way for Hisense’s expansion into mini-LED, and the new U8K models for 2023 double-down on that tech with over 1,000 local dimming zones. Peak brightness is listed as 1,500 nits, but if the super-bright U8H model we tested in 2022 is any indication, that will prove to be a conservative spec.
Available in screen sizes ranging from 55 up to 85 inches (last year’s U8H series topped out at 75 inches), U8K series TVs will feature an anti-glare, low reflection screen. A built-in 2.1.2 audio system with up-firing speakers is another new addition, making it possible to hear Dolby Atmos soundtracks without a separate soundbar. The U8H series also features IMAX Enhanced and Filmmaker picture modes – two other features found throughout the 2023 Hisense mini-LED TV line.
U7K Series
Last year’s U7H series featured a standard LED backlight, but that has been fixed this year on the U7K series with mini-LED backlighting on all screen sizes and up to 500 local dimming zones with a specified 1,100 nits peak brightness. U7H series TVs will be available in 55- to 85-inch screen sizes.
U6K Series
Available in 50- to 85-inch screen sizes, the U6K series will be Hisense’s high-value quantum dot models. They will also be affordably priced for TVs with a mini-LED backlight, with the 50-inch version selling for under $500. The U6K series will offer many of the same features found higher up the Hisense TV line, with a main difference being a display panel limited to 200-plus local dimming zones and a 60Hz refresh rate.
Check out all of TechRadar's CES 2023 coverage. We're bringing you all the breaking tech news and launches, everything from 8K TVs and foldable displays to new phones, laptops and smart home gadgets.
from TechRadar - All the latest technology news https://ift.tt/sDkuVGn
Mission Majnu's official trailer has been unveiled by the makers of the movie on Monday. The spy thriller has Sidharth Malhotra and Rashmika Mandana play the lead role. Set in 1970s, the movie shows Sidharth's character as India's only hope to gather information from Pakistan and fail their mission.
