Home - h4ckers-news

YouTube TV Subscribers to Lose Access to Mets and Jets Games

Tech

andreasc

-

June 24, 2023

YouTube TV Subscribers to Lose Access to Mets and Jets Games

[ad_1]

YouTube TV is losing SNY, the regional sports network for the New York Mets and New York Jets, as of July 1. This means that YouTube TV subscribers will no longer be able to watch Mets and Jets games on the service.

The loss of SNY is a major blow for YouTube TV, as it is one of the most popular regional sports networks in the country. SNY broadcasts Mets and Jets games, as well as games from other New York teams, such as the Brooklyn Nets and New York Islanders.

YouTube TV subscribers who want to continue watching Mets and Jets games will need to switch to a different streaming service that carries SNY. Some of the other streaming services that carry SNY include Hulu + Live TV, fuboTV, and Sling TV.

Par the course for YouTube TV lately

The loss of SNY is the latest in a series of setbacks for YouTube TV. In recent months, YouTube TV has also lost channels such as Bally Sports West and Bally Sports Midwest. These losses have led to some subscribers canceling their YouTube TV subscriptions. Because many signed up for the sports, and the ability to DVR every sport, but now that’s not possible.

It is unclear why YouTube TV is losing SNY. Some have speculated that it is due to a dispute over carriage fees. Others have speculated that it is due to the fact that YouTube TV is not available on certain streaming devices, such as the Amazon Fire TV Stick.

Whatever the reason, the loss of SNY is a major blow for YouTube TV. It is a reminder that even the most popular streaming services are not immune to losing channels. And it’s just the latest blow to YouTube TV’s sports offerings. After having lost Fox Sports RSNs (later renamed to Bally Sports), and a few AT&T SportsNet channels, and now SNY.

[ad_2]
Source link

New JavaScript-based Dropper Delivers Malware

Hacking

andreasc

-

June 24, 2023

0

New JavaScript-based Dropper Delivers Malware

[ad_1]

The latest research unveiled the JavaScript-based droppers, which deliver Bumblebee and IcedID malware instead of PowerShell-based droppers.

These two malware types are significantly related to ransomware attacks.

Bumblebee is a modular loader, distributed primarily through phishing, used to deliver payloads commonly associated with ransomware deployments.

IcedID is a modular banking trojan that targets user financial information and can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions.

The significant change in Bumblebee and IcedId from a PowerShell-based loader to a javascript-based loader and from a banking trojan to a malware loader shows how the threat actors establish their TTPs to evade detection.

PindOS JavaScript Technical Analysis

According to Deep Instinct’s Threat Research Lab report, the dropper contains comments in Russian. It employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia.

The dropper consists of a single function, “exec,” which gets four parameters.

“UserAgent”: The user-agent string to be used when downloading Bumblebee’s.DLL

“URL1”: First address to download from
“URL2”: Second address to download from
“RunDLL”: Payload DLL-exported function to call

When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe.

If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe.

The downloaded payload is saved to %appdata%/Microsoft/Templates/<6-char-random-number>.dat

When comparing the old Bumblebee DLL with the new variant, both have the same main function, “set path”.

Additionally, it includes “legitimate-looking” strings taken from the FFmpeg open-source project’s “error.c” file and a few other files from the same project for distraction purposes.

The new variant has four main export functions, unlike the older variant, which had two.

The retrieved payloads are generated pseudo-randomly “on demand,” which results in a new sample hash each time a payload is fetched to reduce the risk of detection.

As Bumblebee and IcedID are known to deliver ransomware, we recommend that security teams take note of these IOCs—updated IOCs from Deep Instinct’s GitHub page.

IOCs

Bumblebee.JS dropper SHA256
bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1
00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0
15da5b0a65dd8135273124da0c6e52e017e3b54642f87571e82d2314aae97eec
180a935383b39501c7bdf2745b3a334841f01a7df9d063fecca587b5cc3f5e7a
Bumblebee DLL payload: SHA256
24dd5c33b8a5136bdf29d0c07cf56ef0e33a285bb12696a8ff65e4065cb18359
76c9780256e195901e1c09cb8a37fb5967f9f5b36564e380e7cf2558652f875b
28c87170f2525fdecc4092fb347acd9b8350ed65e0fd584ce9fc001fd237d523
ac261ac26221505798c65c61a207f3951cc7dce2e1014409d8a765d85bfd91d4

IcedID.JS dropper SHA256
92506fe773db7472e7782dbb5403548323e65a9eb2e4c15f9ac65ee6c4bd908b
c84c84387f0b9e7bc575a008f36919448b4e6645e1f5d054e20b59be726ee814
7355656f894ae26215f979b953c8fa237dc39af857a6b27754a93adb1823f3b6
8f40ff286419eb4b0c4d15710dc552afb2c2a227a180f4b4f520d09b05724151
IcedID DLL payload: SHA256
9101975f7aca998da796fc15a63b36ab8aa0fe0aed0b186aaed06a3383d5f226
4f0c9c6fc1287ef16f4683db90dd677054a1f834594494d61d765fa3f2e1352c
cb307d7fa6eaac6a975ad64ff966ff6b0b0fdd59109246c2f6f5e8d50a33e93c
361b0157ef63d362fdd4399288f5f6a0e1536633dfb49c808a3590718c4d8f10
e71c9ac9ddd55b485e636840da150db5cd2791d0681123457bd40623acd8311c
8ae3be9f09f5fc64ec898a4d6467b2f6e50eaaa26fc460a4f1a9b9566e97a9a7

Manage and Secure Your Endpoints Efficiently – Free Download

[ad_2]
Source link

YouTube is testing multiple thumbnails for content creators

Android

andreasc

-

June 24, 2023

0

YouTube is testing multiple thumbnails for content creators

[ad_1]

Google-owned YouTube is testing a new feature for content creators that lets them upload and select from multiple thumbnails to add to videos, Android Police reports. The change is intended to allow content creators to figure out which thumbnails work best for their videos.

More specifically which thumbnails engage the viewer more by getting them to click. YouTube is calling this new feature Test & Compare. And has given a breakdown of how it works in a video on the company’s Creator Insider channel.

Creators upload three thumbnails with a video, then after a certain period of time they can choose a “winning thumbnail” to use as the permanent one. Inside of YouTube Studio creators can see which out of the three performed the best. This is based on the highest percentage of watch time. Creators will then be able to choose the winner. They can also choose to do a new test if they feel it’s needed. The feature is already out in the wild. As YouTube confirms it’s been testing it with a small number of creators over the past few months.

YouTube plans to roll out its thumbnails testing to more creators soon

The testing pools is small now, but it won’t be that way for much longer. YouTube says that in the coming months, a few thousand creators will get access to a beta version of this feature.

There’s no timeline here, so “the coming months” is a pretty broad window. But since it’s a beta YouTube is more than likely handpicking creators to add to the testing. So when does everyone get access? YouTube says it’s looking to roll this out more broadly sometime next year. Which means it won’t be available to a much wider audience for quite some time. YouTube does acknowledge though that this is been a top-requested feature so it wanted to let creators know that it’s being worked on.

[ad_2]
Source link

7 Best Tablets for going Back To School

Tech

andreasc

-

June 24, 2023

0

[ad_1]

There are some really great tablets on the market these days. From Lenovo, Samsung, Amazon and even Apple. But which ones are the best for you and/or your student? That’s why we have rounded up the very best tablets for back to school this year. So you can get the one that fits your needs and your budget the best.

Best Tablets For Back To School

On this list of tablets, you’ll find entrants from Lenovo, Samsung, Amazon, ASUS, and we’ve even included an iPad from Apple. That’s because they are all really good tablets, whether you’re using Android or iOS, or Windows or PC.

Whether you’re looking for something cheap, or something that can handle a bit more work and possibly replace a laptop or computer for you, we have everything you need right here on this list. You really can’t go wrong with the Samsung Galaxy Tab S8 or the Apple iPad Air (2022), both are great options and also the most expensive on this list.

Product name	Cost	Where to buy
Amazon Fire Max 11	$229	Amazon
Samsung Galaxy Tab A8	$197	Amazon
Samsung Galaxy Tab S8	$629	Amazon
Apple iPad Air (2022)	$559	Amazon
Google Pixel Tablet	$499	Amazon
Apple iPad Pro 11-inch (2022)	$769	Amazon
Microsoft Surface Pro 9	$959	Amazon

Amazon Fire Max 11

Price: $229
Where to buy: Amazon

Amazon has finally put out a pretty high-end, but still cheap tablet. It’s the Fire Max 11, which is an 11-inch tablet, with 14 hours of battery life, along with 4GB of RAM and 64GB of storage.

Now, the flip side to any Amazon tablet is that, there’s no Google apps on-board. So this is more useful for reading books and watching movies and TV shows. There are apps like Prime Video, Netflix, TikTok and so much more included here.

Amazon Fire Max 11 – Amazon

Samsung Galaxy A8

Price: $197
Where to buy: Amazon

The Galaxy A8 is Samsung’s “budget” tablet option, which is still a really good option. It sports a 10.5-inch LCD display, with 32GB of storage available. There is also a micro SD card slot in case you need some more space.

Samsung also sells this in dark gray, pink gold and silver.

Samsung Galaxy A8 – Amazon

Samsung Galaxy Tab S8

Price: $629
Where to buy: Amazon

The Samsung Galaxy Tab S8 is one of the best tablets you can get today. It has a 11-inch 120Hz LCD display, the Snapdragon 888 5G processor, along with a 8000mAh capacity battery That should keep you going all day long and then some.

Samsung has also included 8GB of RAM and 128GB of storage here. There is a Plus and an Ultra model of the Tab S8, which are far more expensive. All three models come with the S Pen, which is great for taking notes. There is also a keyboard attachment, but it is sold separately.

Samsung Galaxy Tab S8 – Amazon

Apple iPad Air (2022)

Price: $559
Where to buy: Amazon

This is the newest iPad Air, launched earlier this year. It has the new M1 chip that you’ll find in most of Apple’s newer laptops. So this is a pretty powerful, yet lightweight iPad.

Surprisingly, this comes with 64GB of storage by default. But for about $200, you can upgrade to the 256GB model. This purple color looks pretty awesome too, but if it is not for you, it also comes in blue, pink, space gray and starlight. You can also bundle it with the Apple Pencil or the Magic Keyboard, both are sold separately.

Apple iPad Air (2022) – Amazon

Google Pixel Tablet

Price: $499
Where to buy: Amazon

The Google Pixel Tablet is the first tablet from Google in quite a few years, and it’s doing something that no other tablet on this list does. And that’s being a hub. It comes with the speaker dock in the box, so you can dock your tablet, use it to watch movies and TV shows, control your smart home and so much more.

And you can also take your tablet with you, when you leave the house. Which is pretty cool. It does have the Google Play Store on-board, so all of your favorite Android apps are here.

Google Pixel Tablet – Amazon

Apple iPad Pro 11-inch

Price: $769
Where to buy: Amazon

The iPad Pro 11-inch is a powerful and versatile tablet that is perfect for students of all ages. It has a large, high-resolution display that is great for taking notes, writing papers, and watching videos. It is also powered by the A15 Bionic chip, which makes it one of the fastest tablets on the market.

The iPad Pro 11-inch also comes with a variety of features that make it ideal for students. These features include a built-in Apple Pencil, a Smart Keyboard Folio, and support for the latest version of iPadOS.

The Apple Pencil is a great way to take notes, draw, and sketch on the iPad Pro 11-inch. The Smart Keyboard Folio provides a comfortable typing experience and it also protects the iPad Pro 11-inch from scratches and bumps.

The iPadOS is a powerful operating system that is designed specifically for the iPad. It includes a variety of features that are useful for students, such as split-screen multitasking, a built-in file manager, and support for the App Store.

Apple iPad Pro 11-inch – Amazon

Microsoft Surface Pro 9

Price: $959
Where to buy: Amazon

The Microsoft Surface Pro 9 is a great choice for students who are looking for a powerful and versatile device for back to school. It has a 13-inch PixelSense Flow Display with a 120Hz refresh rate, so it’s perfect for both work and play. It’s also powered by the latest 12th Gen Intel Core processors, so it can handle even the most demanding tasks.

The Surface Pro 9 is also very portable, so it’s easy to take with you on the go. It weighs just 1.7 pounds and is just 0.37 inches thick, so you can easily slip it into your backpack or purse.

In addition to its powerful performance and portability, the Surface Pro 9 also has a number of other features that make it a great choice for students. It has a built-in kickstand, so you can prop it up in a variety of positions. It also has a detachable keyboard, so you can use it as a tablet or a laptop.

Microsoft Surface Pro 9 – Amazon

[ad_2]
Source link

Former FBI Analyst Sentenced for Keeping Defense Documents

Hacking

andreasc

-

June 24, 2023

0

Former FBI Analyst Sentenced for Keeping Defense Documents

[ad_1]

Former FBI Analyst sentenced for keeping hundreds of National Defense documents and other classified information.

According to the report published by the Department of Justice, Kendra Kingsbury, 50 who was a former FBI analyst was arrested and sentenced to 46 months in federal prison along with three years of supervised release.

Kingsbury was convicted and pleaded guilty on October 30, 2022, for unlawfully retaining sensitive information relating to the FBI at her residence.

Kingsbury worked for the FBI from 2004 to December 15, 2017, under many different FBI squads relating to Illegal Drug Trafficking, Violent crime, and Counterintelligence.

Kingsbury had a top-level security clearance and had access to several sensitive information belonging to national defense and other classified information.

It also included presentation and training materials used by the FBI that are prohibited from being retained externally.

Kingsbury, Counterterrorism and Al Qaeda

During the investigation, she admitted that she had unlawfully removed data from the FBI and retained some information at her residence in Kansas.

This information includes details about the Intelligence sources and methods of the U.S. Government relating to counterterrorism, counterintelligence, and cyber threat defense.

In addition to this, she also retained some information relating to the human-source operation in national security investigations and other intelligence services on terrorist organizations and their technical capabilities.

The FBI has been tracing many terrorist organizations that are kept SECRET and classified.

This information also relates to Al Qaeda support members in the African continent and some suspects associated with Osama Bin Laden.

Kingsbury retained that information and stored it at her residence which is considered to be a violation according to the Espionage Act.

Further investigations revealed that she had many suspicious telephone records that are associated with the suspects in counterterrorism investigations.

Furthermore, there were also calls from those suspected individuals but Kingsbury did not reveal why she contacted them. Investigations are still going on for this case.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus.

[ad_2]
Source link

5 facts to know about the Royal ransomware gang

Malware

andreasc

-

June 24, 2023

0

5 facts to know about the Royal ransomware gang

[ad_1]

A quick look the cybercriminal group known as Royal—one of the fastest growing ransomware gangs today.

When we first introduced the Royal ransomware gang in our November 2022 review, little did we know they’d rapidly evolve into one of the most potent threats in our ongoing monthly threat intelligence briefings.

In fact, the Malwarebytes Threat Intelligence team has tracked down a staggering 195 ransomware incidents credited to Royal from November 2022 to June 2023.

Known Royal attacks up to May 2023

These figures put Royal in a formidable third place for that time frame, trailing behind ALPHV (with 233 incidents) and the relentless LockBit (at 542 incidents).

In the rest of this post, we’ll be shedding some light on five key facts to know about the Royal ransomware gang.

1. 66% of their initial access is done through phishing

It seems there are three things certain in life: death, taxes, and phishing as a reliable attack vector.

Royal likes to send phishing emails with nasty PDFs attached. They have also been spotted using callback phishing attacks to lure victims into installing remote desktop malware.

Once someone falls for Royal’s phishing scam and ends up with malware on their computer, that malware tries to reach out to its command and control (C2) base. Then it starts downloading malicious tools to aid in lateral movement or exfiltration.

2. They have a massive USA bias

The Malwarebytes Threat Intelligence team found that 64% of Royal’s victims are from the USA.

Known Royal attacks up to May 2023 by country

For comparison, 43% of all known ransomware attacks were on the USA in the same November 2022 to June 2023 time period. For gangs with more than 50 attacks, Royal was only second to Black Basta (67%) for attackers on the USA.

3. Cobalt Strike is one of the many legit tools they repurpose for malicious activities

Royal has been spotted using a host of legitimate tools to carry out their attacks under the radar. Just some of these tools include:

By mimicking normal behavior, these tools can make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

4. We’ve observed them reinfecting victims

Shortly after Royal rose to prominence in late 2022, a new customer joined the Malwarebytes Managed Detection and Response (MDR) service. The customer was previously a casualty of a Royal ransomware attack and thought they had dusted themselves off completely.

But soon after plugging in with us, we spotted some shady activities.

Malwarebytes MDR detecting “Ransomware.Royal” in the client’s network.

It turns out that Royal wasn’t content with having ‘merely’ attacked our customer once—they were still messing around in their system, potentially setting the stage for another damaging attack.

Fortunately, our EDR tech halted the ransomware in its tracks, and our MDR team managed to stop the post-ransomware havoc from spiraling further.

Still, it goes to show that attacks Royal doesn’t simply move on after a successful attack; they stay engaged for future exploitation, if they can help it.

5. The Services, Wholesale, and Technology industries are their top victims

When we look at Royal ransomware’s victimology, no overwhelming pattern stands out like it does for Vice Society.

Known Royal attacks up to May 2023 by industry sector

Their victims per industry more or less match the averages across all ransomware gangs, suggesting they are sheer opportunists without a particular industry focus.

Like any ransomware gang, they leverage any potential vulnerabilities and security gaps across sectors, launching their attacks wherever they find the easiest point of entry.

Getting the upper-hand against the Royal gang

Royal has made a big name for itself in a short amount of time.

While it looks like Royal will attack anyone they think is an easy target, it’s safe to say that organizations in the USA should be particularly wary of Royal considering their strong focus on that country.

We recommend the organizations across all sectors follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes:

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity, including Royal ransomware.

Malwarebytes EDR blocking Royal ransomware On-Execution

In our Ransomware Emergency Kit, you’ll find more tips your organization needs to defend against RaaS gangs.

Get the emergency kit

[ad_2]
Source link

Samsung Galaxy Z Flip 4 vs Motorola Razr+

Android

andreasc

-

June 24, 2023

0

Samsung Galaxy Z Flip 4 vs Motorola Razr+

[ad_1]

Motorola launched its new clamshell foldable, the Motorola Razr+ or Razr 40 Ultra, it depends on the market. The first name is used in the US, while the device carries the ‘Razr 40 Ultra’ name elsewhere. Having said that, in this article, we’ll compare the Samsung Galaxy Z Flip 4 vs Motorola Razr+. The Galaxy Z Flip 5 is right around the corner, but the Flip 4 is still Samsung’s best flip phone, so… there you go.

We’ll first list the specs of both devices, and will then proceed to compare them across a number of different categories. We’ll compare their designs, displays, performance, battery life, cameras, and audio performance. Just to be perfectly clear, we’ll refer to Motorola’s new handset as the ‘Razr+’ from now on, but what is said here applies for the same model in other markets, basically. They’re the same devices, we just had the privilege to test the ‘Razr+’ in the US.

Specs

	Samsung Galaxy Z Flip 4	Motorola Razr+
Screen size	Main: 6.7-inch fullHD+ Dynamic AMOLED display (foldable, 120Hz) Secondary (Cover): 1.9-inch Super AMOLED display (flat, 60Hz)	Main: 6.9-inch fullHD+ LTPO AMOLED (foldable, 165Hz) Secondary (Cover): 3.6-inch AMOLED display (flat, 144Hz)
Screen resolution	Main: 2640 x 1080 Secondary (Cover): 260 x 512	Main: 2640 x 1080 Secondary (Cover): 1056 x 1066
SoC	Qualcomm Snapdragon 8+ Gen 1	Qualcomm Snapdragon 8+ Gen 1
RAM	8GB	8GB/12GB
Storage	128GB/256GB/512GB (UFS 3.1), non-expandable	256GB/512GB (UFS 3.1), non-expandable
Rear cameras	12MP (f/1.8 aperture, 24mm lens, 1.8um pixel size, OIS, Dual Pixel PDAF) 12MP (f/2.2 aperture, 123-degree FoV, 1.12um pixel size, ultrawide)	12MP (f/1.5 aperture, 1.4um pixel size, OIS, PDAF) 13MP (f/2.2 aperture, 108-degree FoV, 1.12um pixel size)
Front cameras	10MP (f/2.4 aperture, 26mm lens, 1.22um pixel size)	32MP (f/2.4 aperture, 0.7um pixel size)
Battery	3,700mAh, non-removable, 25W wired charging, 15W wireless charging, 4.5W reverse wireless charging Charger not included	3,800mAh, non-removable, 30W fast wired charging, 5W wireless charging Charger included (not in the US)
Dimensions	Unfolded: 165.2 x 71.9 x 6.9mm Folded: 84.9 x 71.9 x 15.9-17.1mm	Unfolded: 170.8 x 74 x 7mm Folded: 88.4 x 74 x 15.1mm
Weight	187 grams	184.5/188.5 grams
Connectivity	5G, LTE, NFC, Bluetooth 5.2, Wi-Fi, USB Type-C	5G, LTE, NFC, Bluetooth 5.3, Wi-Fi, USB Type-C
Security	Side-facing fingerprint scanner	Side-facing fingerprint scanner
OS	Android 12 One UI 4.1.1	Android 13
Price	$999.99	$999
Buy	Samsung	Amazon

Samsung Galaxy Z Flip 4 vs Motorola Razr+: Design

Both phones are made out of aluminum and glass. The Razr+ does also come in a variant with a vegan leather backplate, though. Both phones fold right down the middle, of course, and both have two cameras on the back. You’ll also notice a centered camera hole on both devices, on their main displays. The bezels are rather thin around those displays, by the way. The sides on the Galaxy Z Flip 4 are flatter than they are on the Razr+.

One important difference between them is the fact the Razr+ folds flat, and it also has a less noticeable crease. The Motorola Razr+ has horizontally-aligned cameras on the back, while the Galaxy Z Flip 4 includes a vertically-oriented ones. They both have cover displays, but the one on the Razr+ is much larger. It even goes around the rear cameras on the phone. We’ll talk more about the displays in the next chapter.

The Motorola Razr+ is slightly lighter than the Galaxy Z Flip 4, while it’s taller, wider, and about the same thickness when unfolded. When folded, the Motorola Razr+ is thinner than Samsung’s handset. They do have a rather similar feeling in the hand, even though you’ll feel the difference between them. The Galaxy Z Flip 4 is IPX8 rated, so it’s water resistant. The Motorola Razr+ comes with a water-repellent coating.

Samsung Galaxy Z Flip 4 vs Motorola Razr+: Display

Samsung Galaxy Z Flip 4 AM AH 2 — Samsung Galaxy Z Flip 4

The Galaxy Z Flip 4 features a 6.7-inch fullHD+ (2640 x 1080) main display. That is a foldable Dynamic AMOLED 2X panel. It has a 120Hz refresh rate, and it supports HDR10+ content. This panel gets up to 1,200 nits of brightness at its peak. There is a second panel on the back, and it measures 1.9 inches. That is a Super AMOLED display with a 260 x 512 resolution. That second panel is protected by the Gorilla Glass Victus+.

The Motorola Razr+, on the flip side, includes a 6.9-inch fullHD+ (2640 x 1080) main panel. That is a foldable LTPO AMOLED display. It can project up to 1 billion colors, and has a 165Hz refresh rate. HDR10+ content is supported by this display, and the panel goes up to 1,400 nits of brightness at its peak. The second panel on the phone measures 3.6 inches, and has a 1056 x 1066 resolution. That is an AMOLED display that can project up to 1 billion colors. It has a 144Hz refresh rate, and supports HDR10+ content. This panel goes up to 1,100 nits of brightness at its peak, and it’s protected by the Gorilla Glass Victus.

We basically don’t have any major complaints about any of these displays, at least as far as image projection is concerned. They’re all vivid, and offer good viewing angles. They’re also sharp enough. The refresh rate of the Galaxy Z Flip 4’s second display is not that important considering the way it’s meant to be used, but the Motorola Razr+ definitely has the edge there. The crease on the Motorola Razr+’s main display is also less noticeable, so that’s certainly a plus. It’ll not only poke you less in the eyes, but you’ll feel it less under your fingers.

One important difference between the cover displays on these two phones is the number of things you can do with them. The Motorola Razr+ allows you to use its cover display to full extent. In other words, you can run full apps on it. The same cannot be said for the Galaxy Z Flip 4’s panel, which is meant to be used mainly for widgets.

Samsung Galaxy Z Flip 4 vs Motorola Razr+: Performance

The Snapdragon 8+ Gen 1 fuels both of these smartphones. That is not Qualcomm’s latest and greatest chip, but it’s the next best thing. The Galaxy Z Flip 4 comes with 8GB of LPDDR5 RAM, and up to 512GB of UFS 3.1 flash storage. The Motorola Razr+, on the other hand, offers up to 12GB of LPDDR5 RAM, and up to 512GB of UFS 3.1 flash storage. Neither phone offers expandable storage, by the way.

When it comes to performance, you’ll be happy with both of them. The software runs smoothly on both phones, regardless of what you’re doing. Simpler tasks are not a problem, and the same can be said for more demanding tasks too. Even if you decide to play some games on these two phones, they will do a fine job, even those demanding titles. On the Motorola Razr+, you can even use the second display to play full games, if you’re so inclined. Neither phone gets too hot for use after a longer gaming session either, even though they do get quite warm, which is normal.

Samsung Galaxy Z Flip 4 vs Motorola Razr+: Battery

There is a 3,700mAh battery included inside the Galaxy Z Flip 4, while the Motorola Razr+ has a 3,800mAh battery on the inside. The Motorola Razr+ does have a slightly larger battery, but also larger displays, and higher refresh rates. Looking just at those facts, the battery life shouldn’t be too different. Well, it is not, but the Motorola Razr+ does offer better battery life, at least it did during our testing.
With the Galaxy Z Flip 4, we were able to get around 7-7.5 hours of screen-on-time, while the Motorola Razr+ pushes that to 7.5-8 hours of screen-on-time. This doesn’t have to mean much to you, as your results may be entirely different. It should give you an idea of what the phones are capable of when it comes to battery life, though. We did not game much during our testing, but we did not spare either phone, of course. These are numbers that we were able to achieve during more normal usage days, not the ones in which we used the camera for hours. As I said, though, your mileage may vary for a number of reasons.

What about charging? The Galaxy Z Flip 4 supports 25W wired, 15W wireless, and 4.5W reverse wireless charging. The Motorola Razr+ supports 30W wired, and 5W wireless charging. Neither phone comes with a charger in the US, but the Motorola Razr+ may include one in some other markets, so keep that in mind.

Samsung Galaxy Z Flip 4 vs Motorola Razr+: Cameras

A 12-megapixel main camera can be found on the Galaxy Z Flip 4, along with a 12-megapixel ultrawide unit (123-degree FoV). The Motorola Razr+, on the flip side, has a 12-megapixel main camera, and a 13-megapixel ultrawide unit (108-degree FoV). The ultrawide camera on the Galaxy Z Flip 4 has a much wider field of view, and that is something we appreciated, as you can stuff a lot more content in the frame.

Motorola Razr plus 2023 review AM AH1 — Motorola Razr+

Having said that, how do they perform? Well, based on the images taken side-by-side, the Galaxy Z Flip 4 tends to offer more saturated images, as expected. That is, at times, an advantage, and at times a disadvantage. It handles HDR conditions better during the daytime, but then again that added saturation can ruin some images, like skin tones in some cases, and so on. The Motorola Razr+, on the other hand, tends to provide rather dull images at times, while in other situations it does a great job.

In low light, we preferred the Motorola Razr+ most of the time. It handled street lights a lot better, and the same goes for neon signs. It’s kind of a different situation than when it comes to daylight shots, where the Galaxy Z Flip 4 was mostly the better device. Their ultrawide cameras do follow this same pattern, more or less.

Audio

You will find a set of stereo speakers on both of these phones. The speakers on the Motorola Razr+ were louder, though, while the sound output is really good from both devices. They’re well-balanced, though don’t expect miracles, of course.

An audio jack is not included on either device. You’ll have to resort to their Type-C ports for wired audio connections. If you prefer to go wireless, that’s not a problem. Bluetooth 5.2 is available on the Galaxy Z Flip 4, while Bluetooth 5.3 can be utilized on the Motorola Razr+.

[ad_2]
Source link

US government to launch a public working group for AI

Tech

andreasc

-

June 24, 2023

0

US government to launch a public working group for AI

[ad_1]

After seeking public opinion on regulating AI, the US government now wants to launch a public working group consisting of volunteer experts to address AI risks and benefits. The initiative is launched by the National Institute of Standards and Technology (NIST). It focuses on AI technology capable of producing images, videos, text, code, and music.

As AI is taking over different aspects of our life, governments worldwide must be quick to design regulations to mitigate risks and challenges. The US government is somehow at the forefront of AI regulations and even aims to collaborate with the EU in this regard. Gina Raimondo, the US Secretary of Commerce, is now asking AI volunteer experts to share their feedback with the government.

This public working group focuses on generative AI and wants to weigh the AI risks for society as well as its benefits for different sectors. This is the second request for comment (RFC) by a government agency after the first RFC in April.

The US government is asking for volunteer experts’ opinions on generative AI

The final product of this public working group would be a set of guidelines for companies to tackle risks generated by AI. The group works through a collaborative online workspace.

NIST has already developed an “AI Risk Management Framework”. This framework helps the agency manage risks AI could pose to individuals, organizations, and society. The public working group first needs to find out if this guideline could be used to support generative AI development. Then, it needs to support NIST’s AI-related tests and evaluations. Finally, this group must find a way to drive AI capabilities to solve critical health and environmental issues.

“President Biden has been clear that we must work to harness the enormous potential while managing the risks posed by AI to our economy, national security, and society,” Raimondo said in a statement. “Building on the framework, this new public working group will help provide essential guidance for those organizations that are developing, deploying, and using generative AI, and who have a responsibility to ensure its trustworthiness.”

Despite its endless benefits, AI is becoming a source of concern for Big Tech like Apple and Google. Both companies have prohibited their employees from using AI chatbots and sharing confidential material with it.

[ad_2]
Source link

Importance, Risks, and Test Cases

Hacking

andreasc

-

June 24, 2023

0

[ad_1]

In the ever-evolving landscape of system connectivity, APIs have transformed how information is shared and utilized. However, their widespread adoption has introduced security risks that cannot be ignored.

LinkedIn’s data breach, where approximately 92% of data was exposed due to inadequate API authentication, serves as a reminder of the consequences of overlooking security measures.

To address these concerns, API security testing has emerged as a leading-edge approach to unveil vulnerabilities and enhance operational efficiency.

What is API Security Testing?

API security testing refers to assessing the security of an Application Programming Interface (API). API security testing focuses on identifying vulnerabilities and weaknesses in the API implementation that attackers could exploit.

The goal is to ensure the API’s confidentiality, integrity, availability, and the data it handles.

By conducting security testing, organizations can proactively identify and mitigate potential risks, protect sensitive information, and prevent unauthorized access to the API.

Why Is API Security Important?

API security testing is vital for several reasons, and understanding the significance becomes clearer when considering real-world API breaches and their implications. Here are a few examples:

Data breaches: APIs often handle sensitive data, such as personal information, financial data, or intellectual property. Inadequate API security can lead to data breaches, where attackers gain unauthorized access to this information.

For instance, the Facebook-Cambridge Analytica scandal involved the unauthorized access of user data through a vulnerable API, resulting in the misuse of personal information for political purposes.

Unauthorized access and account takeover: Weak authentication mechanisms or improper authorization controls can allow attackers to gain unauthorized access to user accounts or system functionalities.

In 2018, a vulnerability in T-Mobile’s API allowed hackers to access customer data, including names, addresses, and account numbers, leading to potential account takeovers and identity theft.

Injection attacks: APIs that lack proper input validation and output encoding are susceptible to injection attacks. In 2017, the Equifax breach occurred due to an unpatched vulnerability in an API, which allowed attackers to execute a remote code injection, compromising the personal information of approximately 147 million people.

Denial-of-Service (DoS) attacks: APIs that do not implement rate limiting or throttling mechanisms are vulnerable to DoS attacks. In 2016, the Dyn DNS attack targeted a vulnerable API, causing widespread internet outages by overwhelming DNS servers with massive requests and rendering many popular websites and services inaccessible.

Insecure direct object references: Insufficient access controls can lead to broken object-level authorization, where attackers manipulate parameters to gain access to unauthorized resources. In 2019, a vulnerability in Capital One’s API allowed an attacker to exploit this weakness, resulting in the unauthorized access of over 100 million customer records.

These examples highlight the potential consequences of API security vulnerabilities. Breaches can result in significant financial losses, damage to a company’s reputation, loss of customer trust, legal repercussions, and regulatory penalties.

API security testing plays a crucial role in identifying and mitigating these vulnerabilities, helping organizations proactively secure their APIs and prevent such breaches from occurring.

By conducting thorough security testing, organizations can identify and address potential weaknesses, implement robust security measures, and ensure that sensitive data and system functionalities are adequately protected.

It allows for detecting vulnerabilities before they are exploited by malicious actors, thereby reducing the risk of breaches and maintaining the integrity and security of APIs and the underlying systems they connect to.

The following reasons below reflect the benefits of API security Testing:

1) Reduces the risk of getting hacked and protects users from API threats and other OWASP API top 10 listed vulnerabilities.

2) Ensures compliance of every new software release with the regulations and standards (HIPAA, GDPR, ISO, and many more).

3) Detect and resolve issues quicker by scanning your APIs regularly.

4) API security integrated with CI/CD mitigates the risk of vulnerabilities.

5) Reduces associated financial or data losses.

Top Test Cases That API Security Testing Tests For

API security testing can be performed through manual and automated techniques, including security code reviews, vulnerability scanning, penetration testing, and fuzzing.

Authentication and authorization testing: This includes verifying the effectiveness of authentication mechanisms such as API keys, access tokens, or OAuth. It also involves testing the authorization controls to ensure that only authorized users or applications can access the API resources.

Input validation and output encoding:

Testing the API for proper input data validation.
Handling malicious inputs.
Appropriate output encoding to prevent injection attacks like SQL injection or Cross-Site Scripting (XSS).

Encryption and transport security: Assessing the API’s use of secure communication protocols such as HTTPS and ensuring sensitive data is encrypted properly during transmission.

Error handling and exception management: Testing how the API handles error conditions and exceptions ensures that error messages do not reveal sensitive information and provide sufficient guidance to developers or consumers without exposing vulnerabilities.

Access control and privilege escalation: Evaluating the access controls within the API to ensure that users or applications have appropriate privileges and cannot escalate their privileges to gain unauthorized access.

Session management and statelessness: Testing how the API manages user sessions and maintains statelessness to prevent session-related vulnerabilities, such as session fixation or hijacking.

Rate limiting and throttling: Verifying that the API has mechanisms to prevent abuse, such as rate limiting or throttling, to protect against Denial-of-Service (DoS) attacks.

Logging and monitoring: Assessing the API’s logging capabilities to capture relevant security events and activities. Monitoring the logs and alerts in real-time can help identify suspicious behavior and potential security breaches.

Why Should You Automate API Testing?

Manual testing of large and complex APIs can be tiring and costly. Automating the process can help optimize the workflow by-

● Shortening the testing period

● Increasing test coverage

● Improving testing precision

● Increasing the feedback rate speed

API scanners may use intelligently fuzzed data to identify hidden flaws by understanding what an API expects as input.

Must-Have Features to Look Out for In an API Security Scanner

Given how API security scanners can help your team patch vulnerabilities and scale in security, let’s take a look at a few must-have features:

● Cloud-based deployment

● Easy integration with development and security tools

● Use of intelligent automation and analytics

● Customization of rules

● Zero hidden costs

● Availability of extensive reports and metrics

● Comprehensive coverage of attack vectors

● False-positive management

● Highly configurable API scanner

● 24×7 support and proof of concepts

● Plugin-based architecture

For seamless communication between connected apps, APIs must operate effectively. API testing enables an API’s proper functionality, security, and dependability. You may track the API lifecycle by selecting the appropriate API security testing tools like Infinite API Scanner from Indusface.

[ad_2]
Source link

Microsoft Azure AD flaw can lead to account takeover

Malware

andreasc

-

June 24, 2023

0

Microsoft Azure AD flaw can lead to account takeover

[ad_1]

Researchers have found a flaw in Microsoft Azure AD which they claim can be used to take over accounts that rely on pre-established trust.

Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.

In a nutshell, Microsoft Azure AD allows you to change the email address associated with an account without verification of whether you are in control of that email address. And in Microsoft Azure AD OAuth applications that email address can be used as a unique identifier.

So, how can this be used in an account take-over?

To understand how this flaw—dubbed nOAuth by the researchers—works we need to take a few steps back and explain how OAuth works.

OAuth (short for Open Authorization) is a standard authorization protocol. It allows us to get access to protected data from an application. Generally, the OAuth protocol provides a way for resource owners to provide a client, or application with secure delegated access to server resources. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.

Chances are you have dealt with OAuth many times without being aware what it is and how it works. For example, some sites allow you to log in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

In the example we used above, Facebook is called the identity provider (IdP). Other well-known IdPs are Google, Twitter, Okta, and Microsoft Azure AD. For the “Open” concept in OAuth to work, the authentication is based on pre-established trust with the IdP. In our example, because you are logged into Facebook, the other site or service accepts your identity and allows you access.

Azure AD manages user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other software as a service (SaaS) applications using OAuth apps. The difference is that most IdPs advise against using an email-address as an identifier, but Microsoft Azure AD accepts it.

The attacker that wishes to abuse this flaw needs to set up an Azure AD account as admin. They can do this using an email address which is under their control. When they are all set, they can change the Email attribute to one that belongs to the target. The main flaw here is that this requires no validation whatsoever.

Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. They will automatically get logged into the account associated with the provided email address. Which was the one that belongs to the victim and not to the actual operator.

From that point on they can make the necessary changes to either gain persistence, steal information, or completely take over the account. With any luck the victim will get a “you logged in from a new device” type of notice, but that’s the best case scenario.

There is one caveat for the attacker though. Not all sites and services use the email address as a unique identifier.

The researchers have informed Microsoft and other stakeholders of the issue and steps are being taken to thwart this type of account takeover.

Microsoft already had existing documentation informing developers not to use the “email” claim as a unique identifier in the access token, and after the disclosure it published a dedicated page on Claims Validation with all the information a developer needs to consider when implementing authentication.

The researchers say they tested their proof-of-concept on hundreds of websites and applications and found many of them vulnerable. They shared the PoC with each affected organization and informed them of the vulnerability. While most of the affected apps were quick to respond and fix the issue, the number of tested apps was just a drop in the ocean of the Internet.

So, if you are running a site or service that uses Azure AD as an IdP, please check that you do not accept the Email attribute, because the email claim is both mutable and unverified so it should never be trusted or used as an identifier.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

[ad_2]
Source link