Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
via National Vulnerability Database https://ift.tt/OD63ZH
October 1, 2020 at 12:30AM
via National Vulnerability Database https://ift.tt/OD63ZH
October 1, 2020 at 12:30AM
UK NCSC: Don't disable updates so you can continue using Adobe Flash past its EOL
The UK's cyber-security agency warned on Wednesday of the dangers and complications that may arise from not removing Adobe Flash Player and continuing to use the software past its end-of-life (EoL) date of December 31, 2020.
Problematic scenarios include enterprise and other networks where legacy web apps and desktop software still use Flash to display multimedia content or support features like file uploads, file explorers, loading screens, and more.
The UK National Cyber Security Centre (NCSC) fears that some system administrators —with disregard for the security of their network— might make the wrong decision and disable update mechanisms in these applications or web browsers so employees can continue using these apps.
"Just to be clear: You should not disable browser and/or platform updates as a way of continuing to use Adobe Flash Player after 2020," the agency said on Wednesday. [Emphasis by the NCSC]
"Instead, we encourage you to work alongside your suppliers to remove Flash dependencies. Any vendors that are unwilling, or unable, to do this should, themselves, be considered risky."
Some software providers like SAS, Citrix, Articulate, and others have already released updates and customer guidelines in preparation for the Flash EOL. Others may have not, and system administrators may need to intervene and remove the software from their networks and find a Flash-free alternative.
But if there's one thing that IT administrators can't say is that they've been taken by surprise. Adobe gave companies a three-year start to prepare for the Flash EOL, having first announced it in 2017.
Browser makers like Apple, Google, Microsoft, and Mozilla have all announced they also planned to remove Flash from their products by the end of 2020 or late January 2021, making playing any Flash content inside their products impossible.
In a recent update to the Flash EOL page, Adobe itself has asked companies to be proactive about the EOL and remove the software even before the end of the year, even planning to manually prompt users to uninstall Fash later this year.
This is the second time that the NCSC has stepped forward to issue a warning to UK IT admins about a soon-to-be EOL software application. The agency published a similar alert in August 2019 to urge software developers to migrate their code to Python 3.x as the Python 2.x branch was nearing its scheduled EOL date of January 1, 2020.
via ZDNet | Security https://www.zdnet.com/
October 1, 2020 at 12:29AM
Singapore to treat infosec as equivalent public good to fresh running water
The assistant chief executive of Singapore’s Cyber Security Agency, Brigadier General Gaurav Keerthi, says the island nation now considers providing a secure environment to citizens and businesses the equivalent of providing fresh water and sewerage services, and will next week improve digital hygiene with a voluntary scheme that will rate the security consumer broadband gateways.
Speaking at the Black Hat Asia conference in Singapore today, Keerthi explained that it’s his job to defend Singapore from cyber-threats. To explain his approach he started with a little history lesson in which he recounted how in the 1800s securing a fresh water supply and disposing of waste water were seen as personal responsibilities. Once it was realised that public health crises were the result of that attitude, widespread rollout of a universal fresh water supply and sewerage quickly became seen as a public good that governments needed to provide.
Keerthi said government thinking about information security is mired in that 1800s mentality of hoping citizens will do the right thing, or can be scolded into better behaviour. But with everyday life increasingly dependent on online services, he said Singapore has decided it is time to provide the infosec equivalent of clean tap water to all.
One way the nation is doing so is with services that the private sector can – pardon the pun - tap into. To that end the country offers “SingPass”, a national identity scheme that links citizens to services and is also offered to private enterprise such as banks as a free-to-use alternative to developing their own authentication schemes.
“We want to make the secure process the easier process,” Keerthi explained, promising the announcement of more such services for developers next week.
Also to be revealed next week is a “Consumer labelling service” for connected devices.
The scheme will initially see gateways provided by ISPs and smart hubs rated with a four-star assessment of their security. Keerthi likened the ratings to nutrition advice on food packaging and said the aim of the scheme is to have vendors aspire to winning good ratings and make investments that will make their products, and therefore Singapore, more secure.
Singapore has form in this field, he said, with energy efficiency ratings for air conditioners. Before the advent of those ratings, Keerthi said, consumers bought on price and manufacturers raced to the bottom. Today he says manufacturers even claim they would achieve a six-star rating if Singapore’s scheme did not max out at five stars.
Keerthi said the scheme will not be mandatory, but over time he thinks it will become natural for vendors to participate.
The Register asked how Singapore plans to secure participation in the scheme given the sheer quantity of connected devices on offer. Keerthi’s answer was “one at a time”, starting with devices that have the greatest potential for harm.
Details of how devices will be rated will be revealed during Singapore International Cyber Week 2020, which starts on October 5th.
Keerthi also said that Singapore hopes to share its consumer tech labelling scheme with other nations, as it believes the notion of infosec as a public good will become widespread to safeguard increasing dependence on national services and therefore improve national security. ®
via The Register – Security https://ift.tt/2XeTLgv
October 1, 2020 at 12:22AM
Allbirds CEO Joey Zwillinger on the startup’s $100 million round, profitability, and SPAC mania
As people spend less time out in the world and more time daydreaming about when a vaccine will arrive, lifestyle shoes are only gaining traction.
One obvious beneficiary is Allbirds, the San Francisco-based maker of comfortable, sustainable kicks that launched in 2016 and quickly became a favorite in Silicon Valley circles before taking off elsewhere.
Though the company saw its business slow this year because of the pandemic, its products are now available to purchase in 35 countries and its 20 brick-and-mortar stores are sprinkled throughout the U.S. and Europe, with another outpost in Tokyo and several shops in China.
Investors clearly see room for more growth. Allbirds just closed on $100 million in Series E funding at roughly the same $1.6 billion valuation it was assigned after closing on $27 million in Series D funding earlier this year, and blank-check companies have been calling, says cofounder and CEO Joey Zwillinger. He talked with us earlier this week in a chat that has been edited for length and clarity.
TC: Your shoes are sold worldwide. What are your biggest markets?
JZ: The biggest market by far is the U.S., and the same day that we started here in 2016, we also launched in New Zealand, so that’s been very good to us over the last four years, too. But we’ve seen growth in Japan and Korea and China and Canada and Australia. We have a network of warehouses globally that lets us reach 2.5 billion people [who], if they were so inclined, could get their product in three days. We’re proud of the infrastructure we’ve set up.
TC: We’ve all worn shoes a lot less than we might have expected in 2020. How has that impacted your business?
JZ: We’re growing but definitely not at the same pace we would be had the pandemic not occurred. We’re predominantly digital in terms of how we reach people, but stores are important for us. And we had to switch [those] off completely and lost a portion of our sales for a long time.
TC: Did you have to lay off your retail employees?
JZ: A large portion of our retail force was unable to work, but we were luckily able to keep them fully paid for four months, plus [some received] government benefits if they got that. And now all of our 20 stores are up and running again in a way that’s totally safe and everyone feels really comfortable.
We also donated shoes to frontline workers — 10,000 pairs or around a million dollars’ worth.
TC: What does Allbirds have up its sleeve, in terms of new offerings?
JZ: We just launched our native mobile app, and through it we’re able to give our more loyal fans exclusives. It’s a really cool experience that blends technology with fashion. You can try on shoes in a virtual mirror; you’re given information [about different looks] that you wouldn’t have otherwise.
We also launched wool-based weather-proofed running shoes in April that have blown away our expectations but [were fast discovered by] people who haven’t really been running for 10 to 15 years and are running again [because of gym closures]. It’s a super high-stakes category and one that’s hard to break into because people buy on repeat. But we spent two years making it. It’s not like we launched it because of the pandemic. It’s a shoe for 5K to 10K distances — it’s not a marathon shoe or a trail shoe — and that we’ve been able to clearly articulate that speaks to its success, I think.
TC: What about clothing?
We launched underwear and socks last year in a small launch. We developed a textile that hasn’t been used before — it’s a blend of tree fiber and merino wool because our view is that nature can unlock magic. Underwear is typically synthetic — it’s made from plastics — or cotton, which isn’t a great material for a whole bunch of reasons. [Meanwhile] ours is phenomenal for temperature control; it also feels like cashmere.
TC: Patagonia really advertises its social and environmental values. Do you see Allbirds evolving in a similar way, with a growing spate of offerings?
JZ: I’m incredibly humbled by [the comparison]. Given their environmental stewardship of the retail sector, we hope we’re compared to them. But they are much more of an outdoor brand — not a competitor so to speak. And we’d love to share more of the retail world with them so we can do our environmental thing together.
TC: You just raised funding. Are you profitable and, if not, is profitability in sight?
JZ: We’ve been profitable for most of our existence. Having some discipline as we grow is good. We’re not close to the profitability that we’ll eventually have, but we’re still a small company in investment mode. After we emerge from the pandemic, we’ll enter a ramping-up phase.
TC: Everyone and their brother is raising money for a blank-check company, or SPAC, which can make it a lot faster for a private company to go public. Have you been approached, and might this option interest you?
JZ: Yes and no. Yes we’ve been approached, and no, we’re [not interested]. We want to build a great company and being public might be something that helps enable that for a whole bunch of reasons. But we want to do it at the right time, in a way that helps the business grow in the most durable and sustainable fashion. Just jumping at the opportunity of a SPAC without doing the rigorous prep the way we want to, we’re not super focused on that
via TechCrunch https://techcrunch.com
October 1, 2020 at 12:10AM
Diplomats are supposed to be subtle and clever. Australias just leaked 1000 citizens email addresses
Diplomats are supposed to be subtle and clever. Australia’s just leaked 1,000 citizens’ email addresses
Australia’s Department of Foreign Affairs and Trade (DFAT) has just exposed personal details of over 1,000 citizens in an email.
Australia has all-but-closed its borders during the COVID-19 pandemic, rationing the number of citizens who can fly into the country each day. That policy means the few airlines still flying sell their business class seats and not many more, leading to people holding cheaper tickets being bumped off flights and big backlogs of citizens trying to get home to mostly-COVID-free Australia.
Some of those bumped from flights have quit jobs and packed up homes in in anticipation of returning home. Others are no longer permitted to work in whichever country they currently inhabit.
In recent weeks this has led to political pain for the government as Australians ask increasingly pointed questions about why they can’t come home at a time of their choosing.
So last week the government increased entry quotas and started an emergency loans scheme for those in dire need.
And when it emailed potential recipients of those loans, it used the “To” field.
DBA locked in police-guarded COVID-19-quarantine hotel for the last week shares his story with The RegisterREAD MORE
Officials tried to recall the mail, but that seldom works and didn’t do so on this occasion either.
A little later DFAT sent another mail in which it said: “"We request your assistance in immediately deleting that email from your IT system and refraining from any further forwarding of the email, to protect the privacy of the individuals concerned.”
The Department also tweeted an apology of sorts, but it did not always go down well.
It may be “government agencies doing dumb things with email” week in Australia’s neighborhood, as a similar breach has emerged with New Zealand’s Civil Aviation Authority allegedly making the same mistake when mailing residents who had complained about drone regulations. That breach is detailed in this video. ®
via The Register – Security https://ift.tt/2XeTLgv
September 30, 2020 at 11:32PM
An Order of Cybersecurity with a Side of “Hope”
This is a true story.
I was sitting at breakfast the other day with my wife. As we waited for our food to arrive, four people were sitting at a socially distanced table. They were discussing how they have to restart their computers every month because of “something Microsoft does that makes me restart.” The conversation continued:
Diner 1: “That’s why I only use a capital ‘A’ as my password on that machine.
Diner 2: “Mine is always ‘1234’”
Diner 3: “Same thing with the internet. I use the same password everywhere.”
They continued their conversation with a host of other revealing information. I was waiting for them to start reciting their credit card numbers out loud. I am not sure why they were all loudly broadcasting this at a public place. I would like to think that they were FBI agents and that they were testing me to see if I would take their bait. But I am certain that is not the case.
I started to stand up, and my wife stopped me and said “Don’t you dare go over there and educate them.”
I said “But this is ridiculous. They need to know!”
My wife said, “You’re being officious.”
Me: “No, I am not. I am not acting in any official capacity. Besides, I don’t even have my CISSP card with me.”
My Wife: “No, you knucklehead. Officious means that you are offering your services where they are neither wanted or needed.”
Me: “How is it not needed? They clearly need my advice. I bet that ‘1234’ is also the code for the keyless entry system on that guy’s car!”
My Wife continued: “How do you think they will feel if you go over there and start teaching them about cybersecurity when they are just trying to make breakfast conversation? Besides, you are probably the only person in the room who would really know what to do with the information they are trumpeting.”
Did I mention how astute (and brutally honest) my wife can be at times?
However, she was right.
As a cybersecurity professional, how would you have handled this situation? Should we approach unsuspecting people to teach them how to better protect their information such a passwords, or should our educational efforts be confined to the forced annual security awareness trainings and phishing exercises that we conduct?
We are great evangelists, but we are poor at public relations. We need a better marketing strategy, so here is a proposal that you can use now to raise awareness on a broader scale.
Contact your favorite local media outlet. Whether it is a news publication or a television news outlet, look up their contact information and let them know that October is National Cyber Security Awareness Month, and that you are confident that if they run a piece about cybersecurity, it would be a great benefit to their audience. Perhaps you could offer to write something for them yourself or offer some advice to them if they do not have a subject matter expert on their staff. Maybe this could result in a new career path for you. Whatever it amounts to, your contribution to the community can only help.
via The State of Security https://ift.tt/2dEfvfb
September 30, 2020 at 10:09PM
Twitter removes 130 Iranian accounts for trying to disrupt the US Presidential Debate
Social networking giant Twitter said today that it removed around 130 Iranian Twitter accounts for attempting to disrupt the public conversation during last night's first Presidential Debate for the US 2020 Presidential Election.
Twitter said it learned of the accounts following a tip from the US Federal Bureau of Investigations.
"We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard," the social network said today.
"They [the accounts] had very low engagement and did not make an impact on the public conversation," it added.
Twitter said it plans to publish details about the removed accounts and their tweets on its Transparency portal's section for influence operations.
This marks the second time this month that Twitter has intervened to take down an influence operation on its website following an FBI tip. Twitter previously removed accounts tied to PeaceData, a news site that published misleading articles about world politics, which the FBI claimed was a Russian influence operation.
via ZDNet | Security https://www.zdnet.com/
September 30, 2020 at 08:56PM
Indian startups explore forming an alliance and alternative app store to fight Google’s ‘monopoly’
Google, which reaches more internet users than any other firm in India and commands 99% of the nation’s smartphone market, has stumbled upon an odd challenge in the world’s second largest internet market: Scores of top local entrepreneurs.
Dozens of top startups and firms in India are working to form an alliance and toying with the idea of launching an app store to cut their reliance on Google, five people familiar with the matter told TechCrunch.
The list of entrepreneurs include high-profile names such as Vijay Shekhar Sharma, co-founder and chief executive of Paytm (India’s most valuable startup), Deep Kalra of travel ticketing firm MakeMyTrip, and executives from PolicyBazaar, Sharechat and many other firms.
The growing list of founders expressed deep concerns about Google’s “monopolistic” hold on India, and discussed what they alleged was unfair and inconsistent enforcement of Play Store’s guidelines in the country.
The conversations, which began in recent weeks, escalated on Tuesday after Google said that starting next year developers with an app on Google Play Store must give the company a cut of as much as 30% of several app-related payments.
Dozens of executives “from nearly every top startup and firm” in India attended a call on Tuesday to discuss the way forward, some of the people said, requesting anonymity. A 30% cut to Google is simply unfeasible, people on the call unanimously agreed.
Vishal Gondal, the founder of fitness startup GOQii, confirmed the talks to TechCrunch and said that an alternative app store would immensely help the Indian app ecosystem.
TechCrunch reached out to Paytm on Monday for comment and the startup declined the request.
In recent months, several major startups in India have also expressed disappointment over several of the existing industry bodies, which some say have failed to work on nurturing the local ecosystem.
The tension between some firms and Google became more public than ever late last month after the Android-maker reiterated Play Store’s gambling policy, sending a shockwave to scores of startups in the country that were hoping to cash in on the ongoing season of Indian Premier League cricket tournament.
Google temporarily pulled Paytm’s marquee app from the Play Store citing repeat violation of its Play Store policies. Disappointed by Google’s move, Paytm’s Sharma said in a TV interview, “This is the problem of India’s app ecosystem. So many founders have reached out to us… if we believe this country can build digital business, we must know that it is at somebody else’s hand to bless that business and not this country’s rules and regulations.”
Google has sent notices to several firms in India including Hotstar, TechCrunch reported last month. Indian newspaper Economic Times reported on Wednesday that the Mountain View giant had also sent warnings to food delivery startups Swiggy and Zomato.
Vivek Wadhwa, a Distinguished Fellow at Harvard Law School’s Labor and Worklife Program, lauded the banding of Indian entrepreneurs and likened Silicon Valley giants’ hold on India to the rising days of East India Company, which pillaged India. “Modern day tech companies pose a similar risk,” he told TechCrunch.
Some of the participating members are also hopeful that the government, which has urged the citizens in India to become self-reliant to revive the declining economy, would help their movement.
Other than its reach on Android, Google today also leads the mobile payments market in India, TechCrunch reported earlier this year.
The giant, which has backed a handful of startups in India and is a member of several Indian industry bodies, invested $4.5 billion in Mukesh Ambani’s telecom giant Jio Platforms earlier this year.
India’s richest man Ambani, who runs oil-to-retails giant Reliance Industries, is an ally of Indian Prime Minister Narendra Modi. Jio Platforms has attracted over $20 billion in investment from Google, Facebook, and 11 other high-profile investors this year.
The voluminous investment in Jio Platforms has puzzled many industry executives. “I see no business case for Facebook investing in Jio beyond saying we need regulatory help,” said Miten Sampat, a high-profile angel-investor on a podcast published Wednesday.
“This is a white-collar way of saying there is corruption involved, and if the government gets upset, I have invested somewhere with some friend of the government. All of us are losing at the benefit of one company,” he said. Sampat’s views are shared by many industry executives, though nobody has said it on record and in such clearer terms.
Google said in July that it would work with Jio Platforms on low-cost Android smartphones. Jio Platforms is planning to launch as many as 200 million smartphones in the next three years, according to a pitch the telecom giant has made to several developers. Bloomberg first reported about Jio Platform’s smartphone production plans.
These smartphones, as is the case with nearly 40 million JioPhone feature phones in circulation today, will have an app store with only a few dozen apps, all vetted and approved by Jio, according to one developer who was pitched by Jio Platforms. An industry executive described Jio’s store as a walled-garden.
A possible viable option for startup founders is Indus OS, a Samsung-backed third-party store, which last month said it reaches over 100 million monthly active users. As of earlier this week, Paytm and other firms had not reached out to IndusOS, a person familiar with the matter said.
via TechCrunch https://techcrunch.com
September 30, 2020 at 08:52PM
WIRED25 Day 3: Look at Problems in a New Way
Conversations on the final day of this year’s WIRED25 event revolved around the existential mess that has characterized 2020: Covid-19, election integrity, California wildfires. But the experts who came together to share their insights into these problems, and the work they have been doing to confront them, also communicated a sense of genuine optimism.
National Institute of Allergy and Infectious Diseases director Anthony Fauci started off today’s event in conversation with WIRED editor at large Steven Levy. And while Fauci noted some alarming signs—40,000 new US cases each day, an increase in test positivity in some areas—he remains optimistic about an end to the pandemic. He has trust in the vaccine development process, and he thinks we should expect to have proof of a safe, effective vaccine by November or December. But for Fauci, the prospect of a vaccine in the next few months isn’t the only reason to be hopeful. He believes that hope itself is an effective tool in fighting the pandemic. “Despair makes you throw your hands up and say, it doesn’t matter what I do, what’s going to happen is going to happen,” he said. “That is incorrect. It does matter what we do. And if we do it for a while longer, we will look behind us and the outbreak will be behind us, not among us.”
Next, WIRED senior writer Andy Greenberg spoke with Marc Rogers, Nate Warfield, and Ohad Zaidenberg, who cofounded the volunteer group CTI League to protect hospitals and other essential organizations from phishing and ransomware during the pandemic. “It’s almost fair to say that this is a cyber pandemic, because the bad guys, criminal actors, have always exploited big events,” said Rogers. “And there is no bigger event than a global pandemic.” Even when the pandemic ends, however, hospitals, emergency services, and other organizations will still be vulnerable to cyberattacks, and so CTI League is now looking at ways to continue their work going forward.
WIRED senior writer Lily Hay Newman then spoke with another cybersecurity expert, Maddie Stone, who works as a security researcher at Google Project Zero. The goal of Project Zero is to find and eliminate zero-day vulnerabilities—unknown software flaws that could be exploited by hackers. Zero-day vulnerabilities can be difficult to find and use, so hackers deploy them for narrower applications. “They’re really targeted, sophisticated types of attacks, because it takes a lot of expertise to find them and to exploit them,” Stone said. “So they’re usually only used to target high profile, highly valuable targets, such as political dissidents, human rights activists, journalists, things like that.”
Newman stayed online to chat with Ben Adida, the executive director of VotingWorks, which is the only nonprofit maker of US election equipment. Given the complexity of US elections, Adida said, voting machines are a necessity, and they should not be produced by for-profit companies. “We think that elections are the foundation of democracy, and that foundation should be publicly owned,” he said. But despite persistent worries about voting machine hacks and Trump’s constant fear-mongering about voter fraud—including during last night’s presidential debate—Adida believes that the greatest risk to election integrity comes from us. “The biggest concern I have is that a lot of well-meaning folks out there who care about democracy are going to see an alarmist story on their Twitter feed, or in their Facebook feed, and they’re going to say, ‘I need to tell my friends about this,’” he said. “In the process, they become an unwitting participant in this misinformation game of reducing people’s trust in an election outcome.” He left his audience with a stark warning: “If we lose faith in democracy, we lose democracy.”
via Wired https://ift.tt/2uc60ci
September 30, 2020 at 07:30PM