YouTube TV picks up nifty feature in latest update

0
[ad_1]

YouTube TV, just like many other TV services, has the broadcast delay feature as part of its offering. The delay between the camera capturing an event and the event being displayed when you’re watching on your TV is one of the features treasured by sports fans.

Today, YouTube TV announced that it has added a new feature that allows users to reduce broadcast delay on their TV. However, the new option doesn’t come without some compromises.

For example, the lower the broadcast delay, the less buffer the video player will have, which means that the chances of experiencing playback interruptions will be higher.

Obviously, internet congestion, Wi-Fi interference, and other factors may cause live programming issues too. In fact, YouTube TV admits that delays can happen even when someone has a great network.

In any case, if you want to check out the new feature here is what you have to do from your YouTube TV app:

  • Select the three dot more menu
  • Select “Broadcast Delay”
  • Select “Decrease for 48 hours” or “Default”

Keep in mind that if you choose “Decrease for 48 hours,” the decreased broadcast delay will revert to “Default” after the 2 days are up. According to Google, “Default” is best when it comes to stability, so if you want to reduce playback interruptions to a minimum, this is the setting that you should use.

On the other hand, “Decrease for 48 hours” is the best choice if you want to reduce live spoilers, so each option has its strengths and weaknesses.


[ad_2]
Source link

Atlassian Patches RCE Flaw that Affected Multiple Products

0
[ad_1]

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these vulnerabilities have been assigned as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471.

Atlassian has patched these vulnerabilities and has released security advisories for users to patch them accordingly.

CVE-2023-22522: RCE In Confluence Data Center & Server

This template injection vulnerability allows an authenticated threat actor with uncertain access to inject malicious input into a Confluence page and execute remote code on affected instances. Atlassian has given the severity of this vulnerability a 9.0 (Critical).

CVE-2023-22523: RCE Vulnerability in Assets Discovery

This vulnerability exists between the Assets Discovery application and the Assets Discovery agent, allowing a threat actor to perform privileged remote code execution on the machines with vulnerable installations. The severity of this vulnerability has been given a 9.8 (Critical) rating by Atlassian.

CVE-2023-22524: RCE Vulnerability Companion App

A threat actor can exploit this vulnerability by using the WebSockets and bypassing Atlassian Companion’s blocklist and MacOS Gatekeeper to perform remote code execution on affected machines. Atlassian has given the severity of this vulnerability as 9.6 (Critical).

This vulnerability exists in the SnakeYAML library for Java on Multiple Atlassian Data Centers and Server Products, which were vulnerable to deserialization flaws that could result in remote code execution if exploited. The severity of this vulnerability has been given as 9.8 (Critical).

Affected Products

The list of affected products are listed below

  • Confluence Data Center
  • Confluence Server
  • Jira Service Management Cloud
  • Jira Service Management Server
  • Jira Service Management Data Center
  • Atlassian Companion App for MacOS for
    • Confluence Server
    • Confluence Data Center
  • Automation for Jira app (including Server Lite edition)
  • Bitbucket Data Center
  • Bitbucket Server
  • Confluence Data Center
  • Confluence Server
  • Confluence Cloud Migration App
  • Jira Core Data Center
  • Jira Core Server
  • Jira Service Management Data Center
  • Jira Service Management Server
  • Jira Software Data Center
  • Jira Software Server

For fixed versions of these products, referring to Atlassian’s security advisory pages is recommended.

Users of these products are advised to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.


[ad_2]
Source link

Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days

0
[ad_1]

Flashpoint’s latest report redefines the Vulnerability Management system and challenges the current standards set by CVE.

Reaching a noteworthy milestone, the cybersecurity firm Flashpoint has announced that its VulnDB (Vulnerability Database) now documents over 100,000 vulnerabilities. Notably, these vulnerabilities were not covered by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD). This includes zero-day vulnerabilities, containing those that were previously unknown, unannounced, and undocumented.

Vulnerability management programs typically rely on CVE data. However, this approach leaves organizations vulnerable, overlooking 30% of known threats. Flashpoint’s VulnDB database addresses this gap by including over 100,000 non-CVE vulnerabilities and comprehensively analyzing the threat landscape.

Flashpoint’s Brian Martin confirmed in the company’s official announcement that 101,000 non-CVE or hidden vulnerabilities, including zero-days and recently exploited flaws, have become part of their database. These vulnerabilities affect major vendors and specialized industries, posing significant risks.

“Our team goes above and beyond to provide our customers with the most comprehensive, actionable, and timely source of vulnerability intelligence. This includes our team adding over 90 new vulnerabilities on average daily while also updating roughly many hundreds of existing records,” Flashpoint researchers noted.

There are several restrictions with CVE data. For instance, CVE misses at least 30% of known vulnerabilities, and assigning CVE IDs is a lengthy process that may take up to a month to complete, leaving users/businesses vulnerable to zero-day attacks. Most importantly, CVE prioritizes vulnerabilities that can impact major vendors and neglects niche industries with distinct needs.

VulnDB, on the other hand, offers standardized information on CVE and non-CVE vulnerabilities. So it becomes easier for organizations to address them. Flashpoint collects data from thousands of sources, making VulnDB the most useful vulnerability database.

Over half of the non-CVE vulnerabilities are rated high to critical severity using CVSS v3. VulnDB covers a broader range of vendors, including Microsoft, Google, and Apple. The company tracks zero days and issues exploited in the wild, which helps it offer critical threat intelligence.

“Organizations need to remember that vulnerabilities discovered in the wild are sometimes first disclosed without a CVE ID. Zero-day vulnerabilities and other high-profile issues, such as the MOVEit vulnerability, also tend to follow this trend,” the blog read.

The report noted that around 60.4% of non-CVE vulnerabilities are remotely exploitable, making them attractive targets for attackers. Flashpoint’s VulnDB can help security teams identify/prioritize more vulnerabilities and focus on easy wins. They can target vulnerabilities with readily available exploit information and remediation steps.

Flashpoint Uncovers 100,000+ Hidden Vulnerabilities, Including Zero-Days

In addition, they can improve patch effectiveness by prioritizing vulnerabilities based on their actual impact and exploitability. Furthermore, VulnDB caters to the specific needs of industries such as manufacturing and medical devices, addressing issues often missed by CVE.

According to researchers, VulnDB provides quicker access to newly disclosed vulnerabilities, enabling proactive mitigation strategies and integrates well with existing GRC, ITIL, CMDB, and SIEM products, streamlining workflows.

Dangers of Unreported and Unknown Vulnerabilities

Unreported vulnerabilities pose a significant threat to cybersecurity due to their concealed nature and the potential for malicious exploitation. When vulnerabilities go unreported, organizations are unaware of their existence and, consequently, are unable to take proactive measures to address and patch these weaknesses in their systems.

This lack of awareness leaves systems exposed to exploitation by threat actors, who may capitalize on undisclosed vulnerabilities for unauthorized access, data breaches, or other malicious activities. The absence of reports also means that security experts and vendors remain uninformed, slowing the development of timely patches or mitigations.

As a result, unreported vulnerabilities can persist longer, increasing the window of opportunity for cybercriminals to exploit these weaknesses, thereby posing a serious and often underestimated risk to the overall security posture of systems and networks.

  1. The Most Common API Vulnerabilities
  2. Unveiling Vulnerabilities: Penetration Testing Services
  3. CVSS v4.0 Out with New Supplemental Metrics, OT/ICS/IoT Support

[ad_2]
Source link

Fortnite launches its Lego experience, and it’s pretty cool!

0
[ad_1]

What do Fortnite and Legos have in common? Well, they both revolve around building stuff. So, a partnership between them wasn’t all too unexpected. Epic Games announced this partnership just a few days ago, and it whetted our appetites. Now, Fortnite finally launched its Lego experience and, you guessed it, there’s going to be a lot of building.

The Lego Fortnite experience just launched, but what is it?

Fortnite is no stranger to implementing popular IPs into its universe. These partnerships usually involve entirely custom-built worlds, and Lego experience is no different. The story goes that you ran into a random portal (a natural occurrence in Fortnite?), and you’re transported to a Lego world. Also, you were transformed into a Lego character form.

Just like in standard Fortnite, you’ll need to survive. When you land in the Lego world, you’ll want to start gathering materials that you’ll use to start building your shelter. It’s hard to avoid the similarities to Minecraft. There are several aspects that will remind you of that game.

When you’ve gathered enough materials, you’ll be able to build a crafting bench that will give you access to more materials that you can build. The structures you can build will depend on the raw materials that you collect. The materials you can collect will depend on the tools that you craft. This is all standard Minecraft fare.

Building more than forts

So, when you’re building in the Lego experience, you’re not under the constant fear of being sniped by a camper from across the field. Rather, you’ll be able to cooperate with other users and build buildings. They can be as simple as houses or as complex as castles. In fact, don’t be surprised if you wind up building entire villages. You’ll be able to team up with other players to build all kinds of structures.

Yet another comparison to Minecraft (sorry); there are two modes that you can play in. Survival Mode is the standard mode. You can only build structures from the materials that you gathered. Also, you’re affected by things such as hunger, the weather, and stamina.

If you just want to build, you can go to Sandbox Mode. Here, just like in Creative mode in Minecraft, you can place structures without needing to gather materials. Also, you won’t be affected by the hunger, stamina, or the weather

It’s all about survival

As stated, you’re not under constant fear of being sniped from across the field. However, there are other threats to deal with. These threats come in the form of monsters. The land you fell into just so happens to be infested with all types of creatures that want your plastic head on a platter. In this experience, you’ll want to gather materials, craft weapons, and fend them off. While they’re not exactly Creepers, there seem to be giant chameleon monsters; the village-wrecking kind.

Your friends got your back

Don’t worry, this is a multiplayer addon for the game. This means that you’re able to bring your friends in and build together. When you create a world, you can bring up to seven additional players into it. They’ll become keyholders, and this means that they can also access and craft in the world. You’ll be able to party up, fight monsters, build your village, and just have a grand old time.

Play today!

You can access this new feature today no matter where you download Fortnite. When you’re in the menu, you’ll want to go to the Discover section and select the Lego Experience. You can also connect your Fortnite and Lego accounts for added perks.


[ad_2]
Source link

A Threat to mobile Devices

0
[ad_1]

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered.

This vulnerability can be exploited by tricking the Bluetooth host state machine into pairing with a fake keyboard without authentication.

This vulnerability affects Android devices with Bluetooth enabled, Linux/BlueZ devices with Bluetooth Connectable/Discoverable iOS and macOS with Bluetooth enabled, and Magic Keyboard paired with the phone or computer.

The CVE for this vulnerability has been assigned as CVE-2023-45866.

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection

After pairing with the target phone or computer, a threat actor can exploit this vulnerability from a Linux computer that uses a Standard Bluetooth adapter.

Once paired, the threat actor can inject keystrokes and perform arbitrary actions in the name of the victim, which does not require any authentication.

Affected Devices

Additionally, this vulnerability was successfully reproduced on the devices below.

  • Pixel 7 running Android 14
  • Pixel 6 running Android 13
  • Pixel 4a (5G) running Android 13
  • Pixel 2 running Android 11
  • Pixel 2 running Android 10
  • Nexus 5 running Android 6.0.1
  • BLU DASH 3.5 running Android 4.2.2
  • Ubuntu 18.04, 20.04, 22.04, 23.10
  • 2022 MacBook Pro with MacOS 13.3.3 (M2)
  • 2017 MacBook Air with macOS 12.6.7 (Intel)
  • iPhone SE running iOS 16.6

ChromeOS was not found to be vulnerable to this attack as it was patched perfectly by Google.

The security researcher has not published a fully detailed report about this vulnerability. However, a GitHub repository that explains the impact and details of this vulnerability has been published.

The Linux vulnerability (CVE-2020-0556) has been fixed, but it seems like the fix was left disabled by default, which makes the devices still vulnerable to this attack vector.

BluZ has fixed this vulnerability and enabled the fix by default as of the fix of 2020.

Google will fix the vulnerabilities in currently supported Pixel devices via December OTA updates.


[ad_2]
Source link

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

0
[ad_1]

Reflectiz Elevates Security with AI-Powered Smart Alerting: Enhanced Threat Detection with Cross-Validation.

Ramat Gan, Israel, December 7th, 2023, Cyberwire – Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new AI-powered capability enhancing its Smart Alerting system.

The new AI-powered insights enhance the Reflectiz Smart Alerting system by integrating AI LLM technology on top of its traditional alerting tool for cross-checking the validity of the alert with Reflectiz’s extensive databases.

It then recommends the next steps, indicating whether it’s safe to approve or requires further investigation while providing clear justification for that decision. The system immediately raises a flag if any component is identified as uncommon, malicious, or vulnerable. This empowers our customers to rapidly detect and respond to malicious activities, thwarting the latest advancements in cyberattacks.

Statistically, new applications and new domains are the most common alerts, and the AI engine recommendations can save 25%-30% of the time managing the new alerts. 

Quick Justifications for PCI DSS Audits

PCI DSS requires the detection, approval, and justification of each script loaded on the application page. If you choose to approve an application, the AI engine can automatically generate the justification for you. This rationale will then be included in the PCI report, as usual, leading to a reduction in the time spent on PCI.

Reflectiz now offers a free PCI Dashboard for 30 days, helping clients meet the new PCI DSS v4 requirements and bolster their web security.

Idan Cohen, Reflectiz co-founder and CEO, states, “Today, Reflectiz takes a significant step forward by integrating LLM into our alert system. This enhances our platform, enabling clear justifications within seconds and allowing security teams to respond swiftly to prevent security and privacy breaches.”

About Reflectiz:

Reflectiz is a leading cybersecurity company specializing in next-generation web threat management. Years of research by cybersecurity experts have led to the development of our cutting-edge platform, which is trusted by global companies to keep their websites secure.

Recognized by Gartner for innovation in website security, Reflectiz is dedicated to combating today’s web threats and making the Internet a safer place for businesses and customers alike. Book a personalized demo here.

Contact


[ad_2]
Source link

Q3 2023 sees record foldable sales, Samsung leads the market

0
[ad_1]

The foldable smartphone market had a strong Q3 2023. Thanks to the arrival of the Galaxy Z Flip 5 and Galaxy Z Fold 5, shipments grew a whopping 215% quarter-on-quarter (QoQ) from Q2 and 16% year-on-year (YoY) from the same period last year. Unsurprisingly, Samsung was the biggest foldable vendor this past quarter. However, its market share dropped a little compared to Q3 2022.

Samsung is feeling the heat of growing competition in the foldable market

According to the display industry experts at DSCC, seven million foldable smartphones were shipped globally in the third quarter of this year. It is a new quarterly shipment record. The previous high was 6.1 million in Q3 2022 when Samsung launched its fourth-gen foldables. The market exceeded expectations, which bodes well for the future of the foldable industry.

Samsung, whose market share usually peaks in the third quarter thanks to new arrivals, accounted for 72% of all foldable sales in Q3 2023. It also had the top two best-selling models—Galaxy Z Flip 5 with a 45% share and Galaxy Z Fold 5 with a 24% share. No other vendor or foldable model reached a 10% market share this past quarter. Huawei and Honor followed the Korean firm distantly.

While it may sound like Samsung is unchallenged in the foldable market, that isn’t completely true. Yes, it has led the shipment chart for every quarter ever since foldables came into existence. After all, the Korean behemoth has been the only firm selling these unconventional phones globally since 2019. However, that’s changing rapidly as more companies enter the scene.

Effectively, Samsung’s market share is declining. In Q3 2022, it had an 86% share, which dropped to 72% this year. Moreover, DSCC projects its market share to come down from 83% in Q4 2022 to 42% in the final quarter of 2023. Huawei and Honor are both expected to see a surge in their share, reaching about 20%. The total foldable shipments may reach 3.6 million in Q4 this year, with full-year shipments reaching 15.8 million.

BOE may become the biggest foldable display maker in Q4

It may be a double whammy for Samsung in the foldable industry this year. On one hand, its foldable smartphone market share is declining. On the other hand, the firm’s display arm may lose the crown of the biggest foldable display maker to its Chinese rival BOE in Q4. The latter supplies foldable OLED panels to Huawei, Honor, and Oppo, the three biggest vendors after Samsung. China Star and Visionox are other notable foldable display makers.

Global foldable display market Q3 2023


[ad_2]
Source link

Hidden Fees to Look Out for in the Comcast Price Increase

0
[ad_1]

Comcast has announced that it will start raising prices for TV, Internet, and Home Protect starting next week. The prices will increase by an average of 3% across the board. On top of Comcast’s prices, additional fees are increasing – including Broadcast TV and Regional Sports fees.

TV service will go up around $6 per month for your TV package and a $4 price hike on the broadcast TV fees. Regional sports fees will go up by about $1 per month. Bundles of premium channels are also seeing a price hike, between $2 and $4 per month.

Internet customers will see their prices increase by an average of $4 per month across all its internet packages. Home Protect customers will also see a price increase of $5 per month.

Finally, customers with all three services bundled can expect their bills to jump by as much as $20 per month. This will depend on what they subscribe to – especially regarding TV packages.

These prices are set to go into effect on December 18, 2023. So, bills after that date will reflect the new price hikes.

Comcast is raising prices as costs rise

Many consumers immediately call the company greedy whenever they see these price increases. But that’s not always the case. A lot of the time, these price increases are due to increased costs for cable companies. Cable networks are forcing them to pay more to carry their networks – and they are also forced to carry all of their networks instead of just one or two.

Recently, we’ve seen price hikes from YouTube TV, Hulu + Live TV, DIRECTV Stream, and DIRECTV (non-streaming), so Comcast is not alone here. The cost of content continues to rise, and just like any other company, Comcast is passing that higher cost onto the user.

These price increases are expected to bring Comcast’s average monthly revenue per subscriber up even higher. Currently, the average is $129 per month. This is revenue, not profit. Which means the average Comcast customer pays $129 per month.


[ad_2]
Source link

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

0
[ad_1]

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new AI-powered capability enhancing its Smart Alerting system.

The new AI-powered insights enhances the Reflectiz Smart Alerting system by integrating AI LLM technology on top of its traditional alerting tool for cross-checking the validity of the alert with Reflectiz’s extensive databases. It then recommends the next steps, indicating whether it’s safe to approve or requires further investigation while providing clear justification for that decision. The system immediately raises a flag if any component is identified as uncommon, malicious, or vulnerable. This empowers our customers to rapidly detect and respond to malicious activities, thwarting the latest advancements in cyberattacks.

Statistically, new applications and new domains are the most common alerts, and the AI engine recommendations can save 25%-30% of the time managing the new alerts. 

Quick Justifications for PCI DSS Audits

PCI DSS requires the detection, approval, and justification of each script loaded on the application page. If you choose to approve an application, the AI engine can automatically generate the justification for you. This rationale will then be included in the PCI report, as usual, leading to a reduction in the time spent on PCI.

Reflectiz now offers a free PCI Dashboard for 30 days, helping clients meet the new PCI DSS v4 requirements and bolster their web security.

Idan Cohen, Reflectiz co-founder and CEO, states, “Today, Reflectiz takes a significant step forward by integrating LLM into our alert system. This enhances our platform, enabling clear justifications within seconds and allowing security teams to respond swiftly to prevent security and privacy breaches.”

About Reflectiz:

Reflectiz is a leading cybersecurity company specializing in next-generation web threat management. Years of research by cybersecurity experts have led to the development of our cutting-edge platform, which is trusted by global companies to keep their websites secure. Recognized by Gartner for innovation in website security, Reflectiz is dedicated to combating today’s web threats and making the internet a safer place for businesses and customers alike.

This revision maintains the essential information while improving readability and conciseness.

Book a personalized demo here.


[ad_2]
Source link

Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials

0
[ad_1]

Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials.

Cybersecurity firm Intruder has published blog posts explaining how they got hacked by successfully exploiting a DNS rebinding vulnerability that allowed them to extract low-privileged AWS (Amazon Web Services) credentials. They discovered a DNS rebinding vulnerability in their platform after hacking themselves.

Although rare, DNS rebinding exploitation is a persistent threat. In 2018, Hackread.com reported cybersecurity firm Armis’ research, which revealed that over half a billion (496 million) IoT devices were found vulnerable to DNS rebinding, most used by enterprises.

Intruder’s penetration tester Daniel Thatcher noted that while the vulnerability’s impact was limited due to the prevailing security measures, the exploit indicates the feasibility of DNS rebinding attacks in time-constrained scenarios like penetration testing.

Further probing helped him achieve reliable split-second DNS rebinding in Chrome, Edge, and Safari browsers, which was surprising, specifically when IPv6 was available.

The vulnerability was discovered in Intruder’s screenshot workers, which capture snapshots of customer websites. Since these follow HTTP redirects before taking screenshots and lack restrictions on accessing the internal EC2 metadata service, it became possible to expose AWS credentials for available roles.

Leveraging this vulnerability, a public web server was set up to redirect to the EC2 metadata service endpoint. When a worker took a screenshot of this server, it captured the list of available roles, revealing sensitive information. Through further modification, Thatcher obtained actual credentials for a specific role.

Thatcher notified the DevOps team and tried to fix the issue by implementing network-level restrictions to prevent the “screenshotting tool from accessing the metadata service”, the blog read.

Daniel also switched workers to using IMDSv2, thinking this would prevent the attack by making it compulsory to include a token in a header in all requests to the metadata service by making a PUT request to a specific endpoint on the metadata service.

With HTTP redirects, such as those Intruder’s screenshot workers were following, it isn’t possible to set headers, make PUT requests or view their responses. That’s when it occurred to him that DNS rebinding could potentially enable them to bypass restrictions on major browsers and private network requests.

In browsers, traditional DNS rebinding allows attackers to access internal network services by tricking victims into loading a malicious website. However, given that modern web applications are driving headless browsers for their functionality, it’s become a useful tool for attacking web apps by returning both public (attacker-controlled) and target server IP addresses.

The attack relies on the browser first communicating with the public server and loading the attacker’s page. The attacker’s server then blocks traffic, forcing the browser to fall back to the target server, allowing JavaScript on the attacker’s page to send requests to the target server with the same origin.

The extracted credentials had minimal permissions and limited potential damage, but service disruption was possible. They could prevent further digging into AWS and possible harm by limiting access to other HTTP services.

Thatcher concluded that multiple security layers could minimise the attack surface even if the vulnerability was exploited. The screenshot worker vulnerability was patched with IMDSv2 implementation.

Strengthen Your Security Before External Threats Strike

Conducting ethical hacking or penetration testing, wherein you intentionally hack into your own network to identify security vulnerabilities, is a proactive and strategic approach to bolstering cybersecurity defences.

By simulating real-world attack scenarios, organizations can gain valuable insights into potential weaknesses that could be exploited by malicious actors. This self-imposed testing allows for the discovery of vulnerabilities before they can be maliciously leveraged by external threats.

Understanding these weaknesses enables organizations to implement strong security measures, apply necessary patches, and strengthen their defences, ultimately reducing the risk of unauthorized access, data breaches, or other cyber threats.

Simply put, hacking oneself provides an opportunity to address vulnerabilities beforehand, ensuring a more secure network environment before adversaries have a chance to exploit identified vulnerabilities.

  1. Cybersecurity firm exposes 5 billion data breach records
  2. Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
  3. WH National Cybersecurity Strategy: Software Firms Liable for Breaches
  4. Cybersecurity firm Stormshield breach; customer data, source code stolen
  5. LockBit 3.0 Posts Dubious Claims of Breaching Darktrace Cybersecurity Firm

[ad_2]
Source link