SonicWall has recently published a security notice in which 15 vulnerabilities were fixed.
CVEs for these vulnerabilities have been published, and patches for 4 Critical, 4 High, and 7 Medium severity vulnerabilities have been patched as per the notice.
These Vulnerabilities let attackers inject SQL queries and bypass authentication.
This vulnerability exists in the application database due to improper neutralization of SQL injection commands that allow an attacker to exfiltrate sensitive information. This vulnerability has a CVSS Score of 9.8 (Critical).
This vulnerability exists in the SonicWall GSM and Analytics Web Services, which had insufficient checks that led to authentication bypass. The CVSS Score for this vulnerability is given as 9.4 (Critical)
This vulnerability exists as SonicWall GSM and Analytics Web Services uses static values for authentication without proper checks which leads to authentication bypass. The CVSS Score for this vulnerability is given as 9.4 (Critical).
This vulnerability exists in the SonicWall GSM and Analytics Web Services due to improper neutralization of special elements for commands used in OS command injection, allowing an attacker to execute arbitrary code with root privileges. The CVSS Score for this vulnerability is given as 8.8 (High).
This vulnerability exists due to the Use of Hard-coded Cryptographic keys in the SonicWal GSM and Analytics Web Services. The CVSS Score for this vulnerability is given as 7.5 (High).
This vulnerability allows an authenticated attacker to upload files to the filesystem of SonicWall GSM and Analytics Web Services with root privileges. The CVSS Score for this vulnerability is given as 7.1 (High).
CVE-2023-34129: Post-Authenticated Arbitrary File Write via Web Service (Zip Slip)
This vulnerability allows an authenticated attacker to traverse to a restricted directory and extract arbitrary files to any location on the filesystem with root privileges using the Zip Slip method. The CVSS Score for this vulnerability 7.1 (High).
Google has just announced a big update to the Google Play Store policy, specifically for Android apps. This update allows app developers to include digital assets, like Non-Fungible Tokens (NFTs), in their apps.
If you wonder what NFTs are, well they are like certificates that prove you own something unique in the digital world, such as art, music, or virtual items. NFTs work using a technology called blockchain, which keeps track of who owns what. NFTs allow, for example, artists and creators to sell their digital creations directly to fans, and collectors can own and trade these one-of-a-kind digital items.
In a recent blog post, Google (via Android Authority) emphasized the importance of being transparent with users about these tokenized digital assets. It wants developers to clearly inform users if their apps contain these digital assets.
Google is serious about preventing any promotion or glorification of potential earnings from playing or trading activities. The company wants to protect users from sketchy practices and prevent the spread of questionable NFT apps in the Play Store.
The updated guidelines are to make sure that apps follow the existing policies for Real-Money Gambling, Games, and Contests. Apps must meet certain requirements and should not involve money transactions that allow users to win assets of unknown real-world monetary value, including NFTs. Google discourages the use of random blockchain-based items, like the controversial “loot boxes,” which have raised concerns about fairness and transparency.
While these new policies set important rules, they also encourage innovation in the app development community. Google’s Group Product Manager, Joseph Mills, mentioned the exciting possibilities this update brings. Developers now have the freedom to create unique gaming experiences by incorporating user-owned content and rewarding users with special NFTs to increase their loyalty.
Google will introduce the changes gradually to make the transition smooth and gather valuable feedback. Initially, a selected group of developers will be given the chance to offer apps and games containing blockchain-based digital content in Play Store. Ongoing partnerships will be established to test how users interact with these digital assets and improve the user experience.
The July 2023 Patch Tuesday update bundle patched at least six different actively-exploited vulnerabilities across different Microsoft products. In all, the update bundle addressed 132 different vulnerabilities.
Six Zero-Day Flaws Addressed With July Updates
While keeping the systems updated with the latest security fixes is always critical, the July updates are crucial for Microsoft users. That’s because Microsoft released patches for six zero-day vulnerabilities addressing different components.
Microsoft kept one of the six CVEs down for the public (until the time of writing this story). But it disclosed the details about the five other vulnerabilities under attack. All of these vulnerabilities bear important severity rating.
These include two privilege escalation flaws, each with CVSS 7.8, in Windows MSHTML Platform (CVE-2023-32046) and Windows Error Reporting Service (CVE-2023-36874), two security feature bypass (SFB) vulnerabilities, each with CVSS 8.8, affecting Windows SmartScreen (CVE-2023-32049) and Microsoft Outlook (CVE-2023-35311), and a single remote code execution vulnerability (CVSS 8.3) in Office and Windows HTML (CVE-2023-36884). Microsoft has even admitted public disclosure of this vulnerability before a fix could arrive.
Other Microsoft Patch Tuesday Updates For July 2023
Alongside the zero-days, Microsoft addressed over 100 other vulnerabilities with July Patch Tuesday. These include 9 critical severity issues and 116 important severity vulnerabilities.
Among these, the most notable security fix addressed a remote code execution vulnerability in Microsoft Message Queuing (CVE-2023-32057). An attacker may exploit this flaw by sending maliciously crafted MSMQ packets to an MSMQ server.
Besides releasing the patch, Microsoft has also shared a workaround to mitigate this issue, which involves blocking TCP port 1801. According to Microsoft’s advisory, users may review the Control Panel settings, look for “Message Queuing” among running services, and check whether the TCP port 1801 is listening.
The July update bundle includes no security fix for any low-severity vulnerabilities. The extent of security fixes and the high severity of all flaws indicate the importance of this update bundle. Hence, while the updates would reach all eligible devices automatically, users should still check for any updates manually to receive all security fixes in time.
The OWASP Zed Attack Proxy is a widely used tool for conducting web application penetration testing. It is free and open-source.
ZAP functions as a proxy between the tester’s browser and the web application, intercepting and scrutinizing messages.
ZAP is a tool that serves various professionals, from developers to security testing specialists, as well as those who are new to security testing.
ZAP 2.13.0
The new release of ZAP 2.13.0 adds support for HTTP/2, improved authentication handling, and Mac Silicon.
Starting from ZAP version 2.13.0, HTTP/2 is supported by default; no configuration changes are required.
The new version also enhances authentication handling, which helps auto-authenticate many web apps by just supplying the login page URL along with the credentials.
The latest update now allows support for Mac Silicon in the installer and docker images. You can obtain the docker images from the GitHub Container Registry.
New Scalable Options
“All of the “attack” tools which use threading, including both spiders and active scanner, have been changed to use 2x the number of processors as the default number of threads,” reads Zap release notes.
The network Rate Limiting feature enables pentesters to limit the request rate of HTTP/HTTPS and avoid overloading.
New scan rules have been added with ZAP that allow pentesters to scan for popular vulnerabilities such as;
New Add-Ons
Selenium add-on has been updated to use the Selenium v4 library.
Along with Selenium Authentication Helper released, which helps testers to identify and set up authentication with ZAP.
A complete list of enhancements and fixes can be found here.
During the initial half of 2023, a notable surge occurred in attacks exploiting infected USB drives for secret theft.
While the USB-based operation campaigns caused most incidents, impacting both public and private sectors worldwide.
Cybersecurity analysts at Mandiant Managed Defense recently observed two cyber espionage campaigns that are based on USB flash drives.
Security researchers dubbed the two campaigns as:-
SOGU Malware Infection
SNOWYDRIVE Malware Infection
We have provided comprehensive information about two USB-based attacks that hackers are currently using to target both public and private organizations.
SOGU Malware Infection
This USB-based cyber espionage attack is highly widespread, targeting public and private sectors globally, making it one of the most aggressive campaigns across industries.
SOGU malware loaded via USB flash drives that steal sensitive information linked to China’s TEMP.Hex actor, likely driven by national security and economic motives, reads the report.
In Europe, Asia, and the United States, there are various industries face risks from these operations, and here they are mentioned below:-
Construction
Engineering
Business services
Government
Health
Transportation
Retail
Entertainment
Manufacturing
Education
Finance
Logistic
Non-Proit
Media
Communications
IT
Energy
Pharmaceutical
Geographic distribution (Source – Mandiant)
The infected USB flash drive acts as the initial infection vector, housing multiple malicious software triggering DLL hijacking to load a malicious payload into memory.
SOGU Malware Infection Chain (Source – Mandiant)
There are three files that the complete infection chain contains and here they are mentioned below:-
A legitimate executable
A malicious DLL loader
An encrypted payload
Upon running the legitimate executable, it side-loads the KORPLUG DLL, initiating the execution of decrypted shellcode (.dat file) associated with the SOGU backdoor, identified by Mandiant.
After dropping a batch file on the RECYCLE.BIN path, the infection proceeds with host reconnaissance, storing the results in a file named “sys.info” (decoded from Base64 as c3lzLmluZm8).
The malware disguises itself as a genuine program by creating a hidden directory to ensure its continued presence on the system.
To communicate with its command and control server, during the final attack stage, the malware exfiltrates staged data via the following custom binary protocols over TCP/UDP, ICMP:-
SNOWYDRIVE Malware Infection
Using USB flash drives, this campaign deploys SNOWYDRIVE malware, establishing a host backdoor for remote command execution, while also infecting other flash drives and spreading across the network.
UNC4698, an oil-focused cyber threat, was identified as a campaign source by Mandiant. This campaign was detected for the first time during the Windows Explorer process execution hunt, revealing suspicious folder path (e.g., “F:”) often linked to USB drive malware execution.
As the initial infection vector, the infected USB flash drive is used, and the victim is enticed to click on the malicious file disguised as a legit executable, triggering the malicious executions for the attacker’s objectives.
The infection chain begins with an executable dropper that writes and launches malicious files. The extracted executables and DLLs from the encrypted files are written to the specified directory:-
C:\Users\Public\SymantecsThorvices\Bin
There are four components that comprise these files, which are loaded through DLL search order hijacking, with each containing a legitimate executable and a malicious DLL.
Execution chain (Source – Mandiant)
SNOWYDRIVE backdoor generates a unique ID from system info for C2 communication, with a hard-coded domain in shellcode. While the persistence is achieved through the “KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ushsguaei1hgba” registry value storing the “Silverlight.Configuration.exe” path.
Malware duplicates onto plugged-in removable drives, forming “<drive_root>\Kaspersky\Usb Drive\3.0” folder and storing encrypted malicious files. Extracted executable “aweu23jj46jm7dc” writes to <drive_root><volume_name>.exe, handling decryption and execution of file contents.
Organizations are strongly urged to prioritize access restrictions on external devices, like USB drives, or conduct thorough scans for malicious files prior to the network connection.
A group of criminals is actively targeting Facebook business users to gain access to their advertising accounts via malicious Chrome extensions. But we spotted that they made a mistake…
Like all social media platforms, Facebook constantly has to deal with fake accounts, scams and malware. We have written about scams targeting consumers that redirect to fake Microsoft alert pages, but there are also threats targeting businesses that use Facebook to promote their products and services.
In the past few weeks, there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager. Crooks are promising better advertising via optimization, and increased performance when you use their (malware-laden) software. Meta has tracked and analyzed several threat actors such as DuckTail that have been active for a number of years with a particular interest for Facebook advertising accounts.
Now, we’ve discovered a new attack that uses malicious Chrome extensions to steal Facebook account credentials and is not related to the DuckTail malware. While tracking this campaign, we noticed the threat actors made a mistake when they packaged one of the malware files with their own stolen data.
We have passed the information about this campaign and the threat actors to Meta and thank it for taking prompt action following our reporting.
Key takeaways
Vietnamese threat actors are actively targeting Facebook business accounts
Victims are lured via fake Ads Manager software promoted on Facebook
Malicious Google Chrome extensions are used to steal and extract login information
Over 800 victims worldwide, 310 in the US
More than $180K in compromised ad budget
Fake Ads Manager accounts
Ads Manager is the product that enables users to run online ads on Facebook, Instagram and other platforms owned by Meta. An article in TechCrunch from May describes how scammers were buying ads from Meta via verified accounts. They were trying to entice potential victims into downloading software to manage their advertising via a “more professional and secure tool”.
In early June, we identified fraudulent accounts running the same scam using similar lures. It is also worth noting that these accounts often have tens of thousands of followers and any of their posts can quickly become viral. Scammers are primarily targeting business users who may spend ad dollars on the platform.
In order to compromise those accounts, they first need to redirect potential victims onto external websites. We’ve seen several different domains that are essentially phishing pages using the Meta logo and branding. The lure is the Facebook Ads Manager program that is pushed via a download link. We’ve seen various cloud providers abused to host these password-protected RAR archives ranging from Google to Trello, as seen below.
Malicious Chrome extension
Once extracted from the archive, the file is an MSI installer package that installs several components under C:\Program Files (x86)\Ads Manager\Ads Manager. We can see a batch script (perhaps named after Google Bard), and two folders. One of them is for a custom Chrome extension while the System folder contains a standalone WebDriver file.
The batch script is launched after the MSI installer completes and essentially spawns a new browser window launched with the custom extension from that previous installation path, pointing the victim to the Facebook login page.
That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store. A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.
After reverse engineering this extension, it became quite clear that it had nothing to do with Google Translate. In fact, the code is entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts. We can see that the threat actors are interested in Facebook cookies which they request via the cookies.getAll method.
We also notice an interesting way to exfiltrate that data by using Google Analytics. This technique was previously documented by HUMAN as a way to bypass CSP.
Accidental leak
In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables. While there are variations between samples, the attackers’ main goal appears to be the same, namely to collect Facebook business accounts.
While investigating a new phishing site, we saw an archive for download that looked quite different from the others. Ironically, it seems like the threat actors made a mistake and instead of putting the payload, they leaked their own stolen data, or rather the data they stole from victims.
The site we came across pretends to be Meta Ads Manager and boasts the same claims of increasing ad performance that we’ve seen before. There is a button to download a file called Meta Ads Manager.rar which is hosted on Google Drive.
However, this archive does not contain the expected MSI installer, but instead several text files that were last modified on June 15:
While the file names are self-explanatory, we can see that they contain information about authentication (checkpoint, cookie, token). There is also information about the threat actor who shared this file (file owner) via Google Drive and their Gmail email address (this information has been passed to Meta for further action).
The first row of the file called List_ADS_Tach.txt contains column headers with some names in Vietnamese, confirming the nationality of the individuals behind these attacks. In total, there are 828 rows, which translates into just as many Facebook accounts that were breached.
As expected, the threat actors are particularly interested in their victims’ advertising accounts. We can see different metrics related to ad budget (column titles were translated from Vietnamese and may be slightly inaccurate) as well as currencies:
Prized accounts will be those that have a large remaining balance for ad spend. While we do not know if this threat actor is directly associated with DuckTail, they have the same motives of financial profit from hacked Facebook business accounts.
Finally, by converting the data into a map, we can see that victims are not confined to a particular geolocation, in fact they are distributed worldwide.
The threat actors realized their mistake a few days later and trashed the file from their Google Drive account. They also updated the download link on the phishing site, with a new file hosted via MediaFire (fortunately for users, the file was detected as malware and the download is blocked).
A low cost, high yield threat
Business users may be tempted to optimize their ad campaigns on Facebook by clicking on certain posts and downloading programs that claim to increase their earnings. This is, however, a very dangerous practice even if (or especially if) the instructions claim that the software is secure and free of malware. Remember that there is no silver bullet and anything that sounds too good to be true may very well be a scam in disguise.
Fraudsters have a lot of time of their hands and spend years studying and understanding how to abuse social media and cloud platforms, where it is a constant arm’s race to keep bad actors out. Based on reports highlighted in TechCrunch’s recent article, the threat actors may also reinvest some of the stolen ad budgets to place out malicious ads to ensnare more victims and perpetuating this cycle.
If you did happen to download one of those malicious Facebook Ad Manager installers, Malwarebytes has your back. We were already picking up several components from these campaigns and have added additional protection for optimal detection coverage. Victims will also want to revoke access to unknown users from their Business Manager account profile that the fraudsters may have added, as well as review their transactions history.
We would like to thank Meta for being receptive to our report and helping to keep users safe.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
IP geolocation API services can do far more than serve website visitors in their local language and currency using IP lookup. They can also play a critical role in cybersecurity.
Geolocation data can source the IP address of DDoS (Distributed Denial of Service) attackers in real time.
You can then take that data to the relevant ISP (Internet Service Provider) and ask them to block those IP addresses to stop the attack.
Some cybercriminals will also try to bypass geolocation services to commit fraud. This can be done by using VPNs (Virtual Private Networks) to create a spoof legitimate location.
So, the capability to detect VPNs and other threats can prove critical, especially where customer data and money is involved.
So, here are six of the best IP geolocation APIs for cybersecurity.
What is IP Geolocation API?
An IP geolocation API is a service that provides geolocation data based on an IP address. It enables you to pinpoint the location of an IP address, which is helpful for many different services and applications.
IP geolocation APIs connect IP addresses to geographic information like country, city, area, latitude and longitude coordinates, time zone, Internet Service Provider (ISP), and other pertinent facts. Analyzing databases, network infrastructure data, and other sources yields this knowledge.
Where are the IP GeolocationAPIs Used?
IP geolocation APIs are frequently employed in many different applications, such as:
Targeted Advertising: IP geolocation allows advertisers to target consumers in their unique region or nation.
Fraud Detection: IP geolocation, the practice of determining a device’s physical location using an IP address, can be used to spot fraudulent or otherwise suspect activity.
Security: IP geolocation can aid in the detection and banning of potentially harmful or malicious IP addresses.
Compliance with Regulatory Requirements: There are stringent regulatory regulations for some industries that vary by user location, such as online gaming, online pharmacy, and age-restricted content platforms.
Content Licensing and Copyright Compliance: Content providers, such as streaming platforms, are subject to copyright laws and license agreements.
Network and System Administration: Network administrators can benefit from using IP geolocation APIs to manage and monitor their networks. IP address geolocation, network traffic monitoring, and user behavior analysis are all within their capabilities.
1. Precise IP geolocation information. 2. Global coverage in its entirety. 3. Updating data in real-time. 4. API integration is simple. 5. Diverse possibilities for use.
1. Precise IP geolocation information. 2. Global coverage in its entirety. 3. Updating data in real time. 4. API integration is simple. 5. Diverse possibilities for use.
1. Accurate IP geolocation data. 2. Global coverage of IP addresses. 3. Real-time data updates. 4. Developer-friendly API integration. 5. Diverse geolocation applications are supported.
1. IP address coverage on a global scale. 2. Updating data in real time. 3. Applications for flexible geolocation are supported. 4. API integration designed for developers.
1. A wide range of IP addresses are covered. 2. Data updates are provided in real-time. 3. Included are more data points. 4. API integration designed for developers.
1. A wide range of IP addresses are covered. 2. Data updates are provided in real-time. 3. Included are more data points. 4. API integration designed for developers.
1. Dependable IP geolocation data. 2. IP address coverage on a worldwide basis. 3. Updating data in real-time. 4. Support for API integration. 5. Diverse possibilities for use.
7 Best IP Geolocation APIs in 2023
Abstract
IP2Location.io
Ipbase
ipgeolocation.io
DB-IP
ipdata
ipinfo
Abstract
Abstract’s powerful IP geolocation service covers over 1.75 million locations across 225,000 cities worldwide, supporting IPv4 and IPv6.
Abstract’s IP geolocation responses also provide information about the timezone, current time, GMT offset, etc.
Furthermore, their IP geolocation responses include country flags in various formats, such as SVG, PNG, emoji, and Unicode, providing visual representation and an enhanced user experience.
Designed to be simple yet powerful, Abstract’s modern REST API strikes the perfect balance between usability and functionality — built to provide a quick time-to-value and an excellent developer experience.
On the other hand, non-programmatic users can use a CSV upload tool that allows bulk queries in easy-to-use formats.
Most importantly, security is a top priority for Abstract, ensuring bank-level protection for all queries.
Any data transmitted to their IP Geolocation API is encrypted using 256-bit SSL encryption (HTTPS), guaranteeing the confidentiality and integrity of the information.
Features:
It assists in locating a physical IP address’s location, such as its nation, region, or city.
Although it strives for accuracy, there may be restrictions because of many aspects, including how IP addresses are assigned or whether a user utilizes a proxy server.
Developers can include IP geolocation in their programs or websites using specialized tools (APIs).
It can let you know whether the IP address belongs to a home user, a company, a mobile device, or a proxy server.
What is best for:
Accurate location identification
Real-time data updates
Versatile usage options.
What could be better:
Potential limitations in accuracy
Dependence on available data
IP2Location.io
IP2Location.io provides a fast and accurate IP Geolocation API tool to determine a user’s geolocation information, such as country, region, city, latitude & longitude, ZIP code, time zone, ASN, ISP, domain, net speed, IDD code, area code, weather station data, MNC, MCC, mobile brand, elevation, usage type, address type, advertisement category, and proxy data.
It supports IPv4 and IPv6 lookup and can be easily integrated into any application. You can get free up to 30,000 IP Geolocation API credits/per month.
In addition, every plan comes with Domain WHOIS API credits – WHOIS API domain lookup that returns comprehensive WHOIS data, such as domain assigned owner contact information, registrar information, registrant information, location, and much more.
The Free package comes with 500 WHOIS API credits/per month.
The ip2location IP geolocation web service uses a granular, pay-as-you-go credit system.
This means it can source simple geographical location information such as city and latitude/longitude and scale up to elevation and weather station.
This API can detect threats, which could support many use cases. However, the full spectrum of threat detection is only available in its sister product, the ip2proxy web service.
Features:
IP address accurate geolocation information, including time zone, ZIP/postal code, nation, region, and city.
A vast database including IPv4 and IPv6 addresses from throughout the world.
Updates in real-time to guarantee the most recent geolocation data.
Simple API for smooth integration into systems, websites, or apps.
Versatile use for analytics, cybersecurity, ad targeting, content modification, and geotargeting.
ipbase.com provides a powerful IP Geolocation API to gather all necessary information related to location – from country and region details to ZIP codes and time-zone data.
In delivering comprehensive coverage backed up with up-to-the-minute information sets for several applications involving content customization or targeting specific groups with ads.
ipbase.com provides extensive documentation and integration options, catering to developers from various programming languages.
Its infrastructure is structured to support IPv4 and IPv6 addresses while ensuring solid data security and user privacy.
Moreover, IPbase.com’s reliable performance delivers seamless integration into diverse applications and systems.
Features:
IP address geolocation information that is precise.
IP address coverage across the globe.
Updates in real-time for current information.
Data retrieval is made simple through API connectivity.
Apps that can be used for analytics, fraud prevention, geotargeting, and content personalization.
What is best for:
Global coverage
Content customization, and more.
Developer-friendly API for easy integration.
What could be better:
Potential limitations in accuracy
The pricing structure may not be suitable for all users.
Only a few extra data points
ipgeolocation.io
This geolocation API can detect a user’s location, sourcing geolocation information including country flag and name, latitude/longitude, currency, and ASN (ISP).
Free IP geolocation is available with a plan that supports up to 30,000 API requests per month at up to 1,000 per day. This API is organized into various modules, all available at all tiers.
This includes the security module, which can detect TOR, proxies, and VPNs and use this data to assign a threat score.
Features:
IP geolocation data to determine the exact location.
IP lookup in bulk for handling several IP addresses.
For organizational identification, map IP to the corporation.
Identification of time zones for precise time-related data.
API is designed for developers to make integration into apps simple.
What is best for:
Accurate and reliable IP geolocation data.
Additional data points are available, such as organization and time zone.
Easy integration API.
What could be better:
Pricing plans may not be suitable for all users.
Some advanced features may require additional fees.
This RESTful API can source country names, languages, currency, and calling codes.
There are three product tiers. Each tier is segmented three times to support more IP Geolocation API requests, and each tier offers free trials.
Only the top tier (Extended) features threat detection, and it can detect proxies and crawlers. It also checks IP addresses against a database of known malicious IP addresses.
Features:
Accurate IP geolocation data to determine location.
Worldwide coverage and a huge IP address database.
Real-time updates for the most recent geolocation data.
Versatile use for functions including fraud prevention, content personalization, and geotargeting.
API is designed for developers to make integration into systems and applications simple.
What is best for:
Precise IP geolocation information.
Applications for flexible geolocation are supported.
API integration designed for developers.
What could be better:
Free use tier with a cap.
API integration is required to retrieve geolocation data.
Possible privacy issues associated with the gathering of IP addresses.
ipdata
An update can detect a visitor’s location by sourcing data, including ZIP or postal code, flag code, calling code, and time zone.
The free API key is suitable for non-commercial use and is limited to 1,500 daily API requests.
Higher tiers mostly add more IP Geolocation API requests, though the top two also enable SLAs and other enterprise-level options.
Threat detection functionalities can detect TOR, proxies, and BOGON (unallocated IP addresses), and are available at all paid tiers.
Features:
Precise IP geolocation information for precise location data.
Comprehensive coverage and a sizable IP address database.
Updates in real-time to guarantee the most recent geolocation data.
ASN, currency, time zone, and other additional data pieces.
API is designed for developers to integrate systems and applications easily.
What is best for:
Real-time data updates are available.
Additional data points are provided.
Developer-friendly API integration.
What could be better:
Limitations in accuracy due to various factors.
API integration is required to retrieve geolocation data.
IP address information collecting and processing raises privacy issues.
ipinfo
Info can see visitor location data such as latitude/longitude, postal code, time zone, and ASN data, including ISP abuse contact details. There’s a free demo option as well as four paid plans.
Threat detection only becomes available in the top two tiers but includes the capability to detect VPNs, proxy, TOR, hosting, and relay attempts.
While this may satisfy many use cases, a fuller suite of functionality has been split into a separate product.
Features:
Accurate IP geolocation information for location information.
Comprehensive coverage and a sizable IP address database.
Updates in real-time to deliver the most recent geolocation data.
Additional information, including the company, time zone, and postal code.
API is designed for developers to make integration into systems and applications simple.
What is best for:
Comprehensive IP address coverage.
Updates in real-time for current information.
There are more data points, like organization and timezone.
What could be better:
Pricing options are not satisfied.
Additional costs for advanced functionality.
Several things bring on limitations in accuracy.
Final words
If you have customers, process transactions, or hold customer data, you must treat the potential for cybersecurity threats with the utmost seriousness.
This isn’t just about fraud. It’s also about data protection regulations like the EU’s GDPR (General Data Protection Regulation).
This regulation can acceptable data breaches to 4% of global revenue or €25 million – whichever is higher. There’s also brand damage to consider, as brand value is far easier to lose than gain.
So, it’s essential that you also fully consider the level of cybersecurity functionality that you need from your IP geolocation API.
Remember that while many products have threat detection capabilities, they may not expose them at all product tiers. Also, some products split their best functionality into separate products.
Consider exploring what opportunities there are to test each product so that you can identify whether it’s capable of meeting your business needs.
The selling of location data has long been a point of contention for privacy experts. As with so much bulk user data, claims of anonymity from the sellers are never far behind. The reality is often quite different, with individuals or more general patterns routinely revealed in ways nobody thought possible. People were singled out from 500k AOL search records, and interesting findings were made from comparing a Netflix dataset to IMDB ratings back in 2006/07.
With location services, it’s even more important that anonymity is done correctly. Indeed, some would claim that attempts to anonymise data can never be 100% successful. Meanwhile location data can illustrate precise movements, patterns, a daily routine, or information regarding specific activities and pastimes—all of which can be used for nefarious purposes in the wrong hands.
It’s important, then, to try and get it right the first time with mobile data. Sadly, the odds are stacked against this when dedicated firms exist to tie IDs to names and addresses. With brokers selling the data behind the scenes, this proposed law aims to tackle the problem by simply taking the data off the table.
It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:—
(1)collect more precise location information than necessary to carry out the permissible purpose;
(2)retain location information longer than necessary to carry out the permissible purpose;
(3)sell, rent, trade, or lease location information to third parties; or
(4)derive or infer from location information any data that is not necessary to carry out a permissible purpose.
(5)disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.
As the American Civil Liberties Union Massachusetts (ACLU) notes, the buying and selling of this data is unregulated and can impact on all manner of privacy and safety issues. Domestic abusers can track ex-partners. Foreign governments can use data for intelligence and tracking purposes. Employers can track and discriminate against employees. A variety of health and abortion access situations could lead to prosecution or harassment.
Owning a mobile device should not lead to this data being potentially made available to anyone with a credit card. There is strong voter support in Massachusetts for a law which would prevent this selling of personal location data, and the bill seems likely to pass.
The big question is whether or not it will inspire other states to follow suit and draft their own versions of a privacy issue sorely in need of rebalancing.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited.
It’s that time of the month again. For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities. Nine of the vulnerabilities are rated as critical and four of them are known to be actively exploited.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited vulnerabilities are listed as:
CVE-2023-32049 (CVSS score 8.8 out of 10): a Windows SmartScreen Security Feature Bypass vulnerability. The user would have to click on a specially crafted URL to be compromised by the attacker in which case the attacker would be able to bypass the Open File – Security Warning prompt.
CVE-2023-35311 (CVSS score 8.8 out of 10): a Microsoft Outlook Security Feature Bypass vulnerability. The user would have to click on a specially crafted URL to be compromised by the attacker in which case the attacker would be able to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector, but additional user interaction is required.
CVE-2023-32046 (CVSS score 7.8 out of 10): a Windows MSHTML Platform Elevation of Privilege (EoP) vulnerability. Exploitation of the vulnerability requires that a user open a specially crafted file. An attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file in which case the attacker would gain the rights of the user that is running the affected application.
CVE-2023-36874 (CVSS score 7.8.out of 10): a Windows Error Reporting Service Elevation of Privilege vulnerability. An attacker who successfully exploited this vulnerability could gain administrator privileges but the attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default.
The CVE below is under investigation and we will tell you more about it in a separate blogpost.
CVE-2023-36884 (CVSS score 8.3 out of 10): an Office and Windows HTML Remote Code Execution (RCE) vulnerability. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
Additionally, Microsoft issued an advisory titled Guidance on Microsoft Signed Drivers Being Used Maliciously. The advisory warns about drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) which were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers. As a result of a Microsoft investigation, the partners’ seller accounts were suspended and detections for all the reported malicious drivers were added. Whether this really solves the problem of digitally signed malicious drivers is doubtful since there are publicly available tools to sign drivers.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates to address vulnerabilities affecting ColdFusion and InDesign.
Apple has issued an RSR update for a vulnerability which it says may have been actively exploited.
Today, Best Buy has a great deal on the HP OMEN, which is currently on sale for $799. That’s going to save you roughly 50% off of its regular price. As it is normally priced at $1,579. So definitely a good time to buy one.
The HP OMEN AMD Advantage Edition 16.1″ Gaming Laptop is a powerful and versatile gaming laptop that’s perfect for gamers, creators, and anyone who wants a high-performance laptop. It features an AMD Ryzen 7 6800H processor, 16GB of RAM, and an AMD Radeon RX 6650M GPU, which can handle even the most demanding games and applications.
The laptop also has a 16.1-inch Full HD IPS display with a 144Hz refresh rate, which provides smooth and responsive gameplay. It also has a backlit keyboard, a fingerprint reader, and a long-lasting battery that can keep you gaming all day long.
Here are some additional reasons why you should buy the HP OMEN AMD Advantage Edition 16.1″ Gaming Laptop:
It’s powered by an AMD Ryzen 7 6800H processor, which is one of the most powerful mobile processors available.
It has an AMD Radeon RX 6650M GPU, which can handle even the most demanding games and applications.
It has a 16.1-inch Full HD IPS display with a 144Hz refresh rate, which provides smooth and responsive gameplay.
It has a backlit keyboard, a fingerprint reader, and a long-lasting battery that can keep you gaming all day long.
It comes with a free one-year subscription to Xbox Game Pass Ultimate, which gives you access to over 100 games on PC and Xbox.
If you’re looking for a powerful and versatile gaming laptop that can handle anything you throw at it, the HP OMEN AMD Advantage Edition 16.1″ Gaming Laptop is the perfect choice for you. Order yours today and start enjoying all the benefits of this amazing laptop.
.webp)
