Save $60 on the Jabra Elite 5 for Amazon Prime Day

0
[ad_1]

What’s better than a pair of premium earbuds? A pair of premium earbuds that are discounted! The Jabra Elite 5 are now $60 off for Amazon Prime Day.

Jabra is a popular name in the wearable space, and its line of earbuds consists of some of the best earbuds that you can buy. At the top of the pecking order, we have the Elite earbuds. These have some of the best features that you can get on a pair of TWS earbuds.

The Jabra Elite 5 have a pair of 6mm drivers that deliver a powerful sound. They’re capable of producing a great sound for whatever genre you’re listening to. Not only that, but these earbuds come with a wide range of codecs that deliver different listening experiences.

The Jabra Elite 5 are a durable set of earbuds that you can take anywhere, even during your workout. They have an IP55 water and dust resistance rating. This means that you don’t have to worry about them getting damaged if you sweat on them during a workout. They’re also secure enough to survive a light drizzle if you’re caught in the rain.

When it comes to battery life, these earbuds are meant to last you the day. By themselves, the Jabra Elite 5 will last you 7 hours on a single charge. That’s good enough, but they come with a charging case. With the case, they will last you a full 28 hours on a single charge. That’s more than enough to get you through any work shift.

These earbuds come with a great app experience. The Jabra app lets you control multiple aspects of the earbuds. You can enable/disable the ANC and transparency mode, adjust the EQ, update the firmware, and more. These are great earbuds, and the discount only makes them better.


[ad_2]
Source link

Massive DDoS Attack Leveraged Zero-Day in HTTP/2 Rapid Reset

0
[ad_1]

Multiple Google services and Cloud users were allegedly the target of a unique HTTP/2-based DDoS attack. 

The attack used a cutting-edge method known as HTTP/2 Rapid Reset, a zero-day vulnerability in the HTTP/2 protocol tagged as CVE-2023-44487 that may be used to launch DDoS attacks.

The stated attack magnitudes are: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, while Google withstood attacks at a record-breaking 398 million rps.

“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”, Google said.

Document
FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Details of the Largest DDoS Attack

In this case, the HTTP/2 protocol allows clients to instruct the server that a previous stream should be canceled by sending an RST_STREAM frame. The protocol does not call for any kind of coordination between the client and server; the client is free to cancel on their own. 

The Rapid Reset attack uses this technique to send and reject requests quickly, evading the server’s concurrent stream limit and overwhelming it without exceeding the specified threshold.

Attacks using numerous HTTP/2 connections that quickly switch between requests and resets are known as HTTP/2 rapid reset attacks.

HTTP/1.1 and HTTP/2 request and response pattern
HTTP/1.1 and HTTP/2 request and response pattern

Each connection can have infinite requests in flight due to the ability to reset streams instantly. This allows a threat actor to send a flood of HTTP/2 requests that can overwhelm a targeted website’s capacity to respond to new incoming requests, effectively shutting it down.

Hence, threat actors can overwhelm websites and take them offline by starting hundreds of thousands of HTTP/2 streams and quickly canceling them at scale over an established connection.

According to Cloudflare, this attack was made possible by exploiting various HTTP/2 protocol features and server implementation specifics.

Any vendor implementing HTTP/2 will likely be vulnerable to the attack since it takes advantage of a flaw in the HTTP/2 protocol. All modern web servers were included in this.

“CVE-2023-44487 is a different manifestation of HTTP/2 vulnerability. However, to mitigate it we were able to extend the existing protections to monitor client-sent RST_STREAM frames and close connections when they are being used for abuse. The legitimate client uses for RST_STREAM are unaffected”, Cloudflare reports.

The attack technique has been shared with web server suppliers by Cloudflare, Google, and AWS; all hope that these companies will roll out updates.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


[ad_2]
Source link

Unveiling Vulnerabilities: Penetration Testing Services

0
[ad_1]

Penetration testing is vital as it helps identify vulnerabilities in a system or network, allowing organizations to proactively strengthen their security and protect against real-world cyber threats, ultimately safeguarding sensitive data and assets.

The penetration test, or pentest, is a controlled intrusion into the software system to reveal and eliminate vulnerabilities. Nowadays, the pentest is the closest model to the regular cyber attack and the best means to prevent it.

The need becomes more and more crucial: the statistics of 2022 demonstrates a 40% growth of new vulnerability number compared with 2021, 21,000 to 13,000. 21,000 vulnerabilities per year are invisible for scanners but can bring multimillion losses.

That’s why both principles of penetration testing and text cases themselves make the researchers consider the unique vulnerabilities as valuable precedents and analyze the pentest reports in detail.

Company to Deal with and Its Risks

The zero stage of the pentest is collecting a full package of background information about the reviewed company and the breach if it happened. Let’s model a regular supposed cryptocurrency company, let’s name it Ultimo Chain, which faced the exploit of the native exchange. For better illustration, Ultimo’s model combines features of several real cryptocurrencies, bridges and exchanges, attacked in 2021-2022

Ultimo relies on original blockchain encryption and never passed a test before. But penetration testing success stories teach that a middle or large company needs it crucially. The main company features and risks according to the checklist of OUR SITE experts:

  • Industry. As a cryptocurrency IT business, Ultimo is more interesting for cybercriminals than industrial manufacturers.
  • Market cap. A high-skilled intruder may consider a market leader as a beneficial target despite the complex security system. Ultimo is a medium company with a 150+ ranking on CoinMarketCap with a capitalization under $150M, so it’s a decent trophy.
  • Original system. Software of most middle or bigger businesses is a unique combination of apps, services, connections and client interfaces. A breach in one component may disclose others to malicious actors. Ultimo uses the original coin, stablecoin and exchange, based on their blockchain, several bridges between Ethereum and other altcoins. 
  • Data access policies and staff instructions. Ultimo is an open-source project, and anyone can review its codes on GitHub. The data about financial transactions are encrypted with blockchain and stay in secured clouds. Meanwhile, all communications and supportive information are provided by regular messengers, emails and outer storage. Ultimo has 50+ remote workers with 3 levels of access for partners, regular developers, managers and architects.

After the exploit, the exchange was robbed. Due to further investigation, a hacker took away all native stablecoins (25% of all supply) from the Ethereum pair, sold them on external DEX and covered the tracks in a crypto mixer.

Main Sectors for Vulnerability Detecting 

The Ultimo pentest not only aims for software and several technical supplements but also closely looks for human errors. The research has to detect:

  • data leak sources;
  • hardware malfunctions;
  • sustainability of connections;
  • system errors and wrong settings;
  • weaknesses in the code and encryption; 
  • vulnerabilities related to staff and management.

The specifics of this case study in penetration testing is that its core code is public. However, the GitHub code doesn’t include visible vulnerabilities and was excluded from possible data leak sources.

The pentest team has to pay attention to the following elements:

  • Core software — services and processing software on servers or in clouds, resilience to data leaks, errors and crashes during malware intrusion. 
  • Websites — page displaying, navigation and script procedures during DDoS attacks or corruption by malware, encryption and coding against web page data stealing, reliability of redirecting from multinational sites to local mirrors.  
  • Networks — reliability of connections and protocols for data transfers, vulnerabilities within local company networks and during remote access.
  • Client apps — options and probability of virus invasion, interface misconfigurations, vulnerabilities related to application access and cashed private data.
  • Remote access software — possibilities for malware intrusion in the VPNs and forging IP addresses.
  • Wireless webs — reliability of Internet connection software (routers, encryptors, filters).
  • Hardware functioning (SCADA) — reliability and risks of controlling software in sensors and transmitters. This type relates to power, temperature or pressure equipment, including one inside the servers.
  • Human factor — possibilities for staff, clients or partners to corrupt software or cause data leaks (management of data access levels, fishing and similar hacking techniques).

Most penetration testers are narrow but experienced specialists who analyze the separate categories of vulnerabilities. Then the team discusses the results in complex.

Vulnerability Hunt Step-by-Step

The professional pentest passes by a certified methodology in these steps:

  • Primarily scanning for common vulnerabilities with security scanners (Kali Linux and Rapid7 Nexpose).
  • Additional manual testing for original vulnerabilities.
  • Severity level attribution for vulnerabilities according to standard calculations (NVD by NIST).
  • Test exploitation, including specially written software.
  • Summarizing the research in generated (Cyver Core) and manually complemented reports.
  • Choosing ways to eliminate vulnerabilities.

Security testing professionals may also consult related sources for additional information. In the Ultimo model, the pen specialists review the exchange transaction history. The Ultimo blockchain scanner demonstrates that every recent purchase was cancelled because of a lack of validation nodes. However, after the cancellation, the exchange currency was redirected to the fraudster’s wallet instead of the exchange one.  

How and Why to Classify Vulnerabilities

Vulnerability detection is the first stage of penetration testing case study. The test team detects regular weaknesses with scanners to shorten the time of audit and to allow the experts to focus on manual detecting of special things.

As a result, the company Ultimo received comprehensible metrics of system weaknesses, the most severe among them relating to:

  • Possibilities for access level manipulation.
  • Sending data from the exchange to external apps.
  • Fishing probabilities on personal computers of remote workers because of unsecured messengers and storage.

During the further case study of penetration testing, the found vulnerabilities obtain a category of severity due to their danger levels and potential negative consequences:

  • Critical — The vulnerability is open and can be used by malicious actors at any moment. It allows the malware to run within the organization soft and needs immediate fixing.
  • High — The vulnerability is also available without additional conditions. It doesn’t allow changes within the company’s software, launching of malware or deleting of data. But the actor still can intercept any protected information. 
  • Medium — The vulnerability allows the stealing of only low-priority information and only after the actions of the medium-level specialist. The malware can’t be launched. Most of these cases are due to errors in software configurations.
  • Low — The vulnerability menaces with data leaks and is caused by software configuration, particularly data access levels and company data policies. Using this type of vulnerability requires social engineering and, sometimes, additional software exploits.

The analysis allows the team to qualify the Ultimo vulnerabilities as medium and low. But they seem to be the weaknesses used by the hacker.

Harmless Exploit

The next stage is a practical attack on the researched system but without damage. The pentest team exploit the software only after backups and by agreement with the organization. The main steps:

  • The cyber security team develops several scenarios that involve all found vulnerabilities.
  • The testing system embodies them and records all successful intrusions.
  • The reports go to the company managers with commentaries.
  • The cybersecurity team models the consequences if a malicious actor exploits the same sectors or achieves the same data.
  • The company and pen-testers evaluate the probability of each scenery and calculate possible losses.

The practical deeds adjust the theoretical results. Some vulnerabilities interfere with others and get higher severity levels. Some are offset by other program components and are considered low-risk. The practice often reveals missed weaknesses and unexpected consequences of an exploit.

The penetration testers try to recreate the scenery of the Ultimo exploit as the main one. It combines the detected vulnerabilities, social engineering and data from the blockchain scanner:

  • The tester rewrites and compiles an open-source code to get a binary file.
  • Then, the expert creates a classic fishing email trap, involving a fake Google authentication, uses saved passwords in the target’s browser and gets access to the Ultimo designer’s account at the external storage.
  • The specialist uses a popular hacking solution to get the third level of access and, as a result, reads the project manager’s database of developers’ information in the common documents.
  • With the received accesses, the tester can enter the site server (even without a proxy), replace the purchase binary file with the forged one and relaunch the exchange.

The checking transaction of a small amount shows that the exploit was successful, and the tester backed the replaced file. The used scenery allows not only stealing money but also deleting the whole exchange, source codes and all supportive materials (except backups on the staff computers). 

Strategies and Recommendations to Overcome Security Problems

After discussing vulnerabilities and related risks, the testers offer ways to solve them. The company compares their reliability and necessary expenses for choosing the best solutions for this penetration testing and test cases.

Additionally, the pentest team advises how to prevent similar troubles during the renovation of software and expansion of business processes. By the company’s wish, the team describes the signs of danger and general ways that can lead to it.

These are general recommendations for Ultimo, which will suit any organization:

  1. Creation of the security software list for obligatory installation by remote staff. 
  2. Using secured data rooms or similar business solutions instead of regular storage.
  3. Monitoring and notification of leading developers of all server changes.
  4. Using one-way data encryption and doubling for databases.
  5. Integration of biometric identification for the second and third security levels in storage.
  6. Registration of all involved devices by the administrator.

These steps contour the security update plan, but exact solutions must be developed for and together with an individual company only. 

Mutual Collaboration for the Best Results

The pen-testing team consults the researched company while implementing the offered changes. They control the quality of the work and adjust algorithms if the direct implementation faces inconvenience. 

Due to penetration testing success stories, the team and company must share clear results and control each other’s work. The testers list all vulnerabilities, the company notifies the testers about all implementation nuances. 

Ultimo is also recommended to pass the penetration test periodically because the company:

  1. make frequent global upgrades of both blockchain and apps;
  2. integrates new cryptocurrencies and fiat payment methods;
  3. develops apps for smart TVs and desktops.

In short, not only major leaks but any global change should be accompanied by a new professional pen test.

Benefits for Pentested Companies

Despite the best-quality blockchain, the modelled cryptocurrency company failed in supporting factors, especially related to data storage and human errors. Elimination of these vulnerabilities helps Ultimo to prevent:

  • data leaks;
  • new money and time losses;
  • decreasing company market value.
  • further spoiling of reputation and losing of clients;

In total, the pentest fosters Ultimo in increasing its market sustainability and advancing competitors. The costs of both pentest and improving the company’s security pay off especially quickly in the case of the trendy crypto industry.

Pentest: Way to Forget about Intruders

Penetration test with further upgrades is the best way to cut losses on hacks and overcome their consequences of high quality and a unique way. That’s why the results of each case study of penetration testing are so valuable.

As any modern company has a unique software complex, common solutions do not suit it. Only manual testing with a customized plan and hands-on exploit can reveal all security weaknesses. Finally, the pentest services are a safe and affordable way to advance the competitors and secure the company’s market future.

  1. The Most In-Demand Freelance Skills for 2023
  2. Top Certifications for Network Security Administrators
  3. We Need Smarter Smart Contracts To Prevent DeFi Hacks
  4. Penetration Testing And Their Methodology In Cybersecurity
  5. 5 Proven Cyber Security Certifications That Will Boost Your Salary

[ad_2]
Source link

Motorola brings Razr 2023 foldable to the US with affordable pricing

0
[ad_1]

Motorola has just brought a new foldable smartphone to the US. It’s the Razr 2023 clamshell foldable, also known as the Razr 40 in some international markets. The company unveiled it alongside the Motorola Razr+ (aka Razr 40 Ultra) in June, but only the Plus model was available in the US so far. The standard Razr 2023 is finally here.

Motorola Razr 2023 debuts in the US with an affordable price tag

Priced at $699.99, the Motorola Razr 2023 is the most affordable foldable smartphone in North America. In fact, it’s the cheapest folding phone yet globally, with the Tecno Phantom V Flip priced identically in other markets. The new Razr massively undercuts Samsung’s Galaxy Z Flip 5 and Motorola’s Razr+ in terms of pricing. The latter two cost $999.99.

As you’d expect, the phone’s cheaper because it compromises on a few things. Most notably, it sports a much smaller cover display. Motorola has equipped it with a 1.5-inch rectangular screen on the outside. The Razr+ has a square-shaped 3.6-inch external display. The standard model’s cover screen won’t let you run apps, but you can still check notifications, control media, and more.

Motorola Razr 2023 AM AH 24

Motorola has also downgraded the Razr 2023 to the Snapdragon 7 Gen 1 SoC, which is a mid-range processor (the Plus model uses the flagship Snapdragon 8+ Gen 1). It gets UFS 2.2 storage (128GB and 256GB) as opposed to UFS 3.1 (256GB and 512GB). RAM downgrades from LPDDR5 to LPDDR4X. The cheaper foldable misses out on a glass back as well, with the company slapping vegan leather rear panels on it with the same IP52 water-repellent coating.

The main folding screen is the same across the two models, though Motorola is offering a higher refresh rate on the Razr+ (144Hz vs. 165Hz). Coming to the cameras, the Razr 2023 features a 64MP primary shooter with laser autofocus, PDAF (phase-detection autofocus), and OIS (optical image stabilization). It’s paired with a 13MP ultrawide lens and a 32MP selfie camera. The Razr+ has a 12MP main camera but keeps the other two sensors unchanged.

Motorola promises three major Android OS updates

The Motorola Razr 2023 compromises in most of the areas except for the battery capacity. It features a 4,200mAh batter, much bigger than the Plus model’s 3,800mAh unit. The device supports 30W wired charging and 5W wireless charging. It also boasts dual stereo speakers with Dolby Atmos and runs Android 13 out of the box. Motorola says the phone will get three major Android OS updates and four years of security updates following its launch.

Speaking on the launch, the Razr 2023 will be available for pre-order (via) in the US from Thursday, October 12. TGeneral sales will begin a week later, on October 19. Early buyers will get a flat $100 discount on the phone, bringing it down to just $599.99, which is an unbeatable price for a new foldable smartphone. The handset comes in a range of vibrant colors, including Cherry Blossom, Sage Green, Summer Lilac, and Vanilla Cream.

Motorola Razr 2023 AM AH 09


[ad_2]
Source link

Utah sues TikTok for addicting children to the app

0
[ad_1]

TikTok has long been under hot water with governments worldwide, thanks to its deranged data privacy practices. Now, in a recent development, Utah’s Division of Consumer Protection (UDCP) filed a lawsuit against TikTok for its alleged involvement with the Chinese company, ByteDance, and its addictive nature for children.

As explained by Utah Governor Spencer Cox, TikTok not only misled parents about the safety of its app for children but also “illegally baited children” with features designed to encourage continuous scrolling, ultimately increasing revenue for the app.

“We will not stand by while these companies fail to take meaningful action to protect our children. We will prevail in holding social media companies accountable by any means necessary,” said Cox.

Three alleged violations

The lawsuit outlines three alleged violations of Utah’s consumer protection laws by TikTok. Firstly, the company manipulated children through its features. Secondly, the lawsuit claims that the app misrepresented its safety measures, deceiving users into believing it could maintain a secure digital environment for children. Lastly, the company misled users about its relationship with ByteDance.

Furthermore, the lawsuit delves into broader concerns about social media apps and argues that TikTok’s vertical swipe to load new videos is addictive, taking advantage of users returning for the dopamine rush.

Not the only legal trouble for the app

While this lawsuit represents a significant development, it isn’t TikTok’s first encounter with such accusations in the US. This is because last year, Indiana sued the app on similar charges. And in June, the Maryland school district targeted TikTok, stating that the app is contributing to a “mental health crisis” among students.

Beyond the lawsuit, Utah has already passed two pieces of legislation that impose strict restrictions on minors’ access to social media apps, including limiting the hours children can use the app, implementing strict age verification, and giving users access to minors’ accounts, including personal DMs.


[ad_2]
Source link

Customers’ Credit Card Details Exposed

0
[ad_1]
Air Europa Breached

On Tuesday, Air Europa, a Spanish airline, experienced a security breach where cybercriminals gained unauthorized access to the credit card information of the airline’s customers.

Following the attack, the airline took the necessary steps to email the impacted customers and inform the relevant financial institution of the incident.

The company has chosen not to reveal the precise count of clients who were affected by the breach, nor have they provided any details about the monetary impact resulting from the security incident.

But they said no other information has to be exposed. “There is no evidence that the breach was ultimately used to commit fraud,” the airline said.

Document
FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

If you have used your card to make payments on the Air Europa website, you should cancel the card and get a replacement as soon as possible.

This will help to protect your personal and financial information from any potential fraudulent activities. The organization strongly recommends taking this precautionary measure to safeguard the affected customers.

The individuals who were sent the email have been instructed to monitor the activities of Air Europa closely and have urged the relevant data protection authorities to launch an investigation into the matter.

The cyberattack happened because fraudulent use of the compromised cards might have occurred before the business sent a warning by a Spanish consumer association, OCU.

It is worth noting that the recent cyber attack is not the first security breach that the company has faced. In fact, in 2021, Europa experienced a similar incident where they mishandled confidential information of 489,000 customers.

The most concerning aspect of this breach is that the company took 41 days to report the incident, which clearly violates the mandatory reporting timeline of 72 hours.

While Iberia and Vueling are the two largest Spanish airlines, Air Europa Lneas Aéreas, S.A.U., doing business as Air Europa, is the third largest.

The number of security breaches is growing rapidly every day. Unfortunately, there is currently no practical solution to fix these breaches and prevent them from happening again.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


[ad_2]
Source link

New Magecart Attack Uses 404 Errors to Steal Your Card Data

0
[ad_1]

A Magecart attack is a type of digital credit card skimming attack where malicious code is injected into e-commerce websites to steal payment card information from unsuspecting customers during online transactions.

KEY FINDINGS

  • Akamai has discovered a new Magecart campaign in which scammers manipulate the default 404 error messages to inject malicious code.
  • The malicious code is injected as bogus Meta Pixel code or an inline script.
  • The skimmer overlays a checkout form exactly as those generated by genuine e-comm websites for capturing shoppers’ financial data.
  • The data is exfiltrated as a Base64-encoded string.
  • Magento and WooCommerce websites are the key targets in this campaign.
  • Large organizations in the retail and food sectors are prominent targets.

Akamai Security Intelligence Group’s researchers have noticed a much more sophisticated and creative wave of Magecart attacks in a newly detected digital skimming campaign. The unique aspect of this campaign is that scammers are exploiting the 404 errors generated by websites to steal sensitive financial data.

In the blog post published Monday, Akamai security researcher Roman Lvovsky wrote that malicious code is injected into 404 error pages, mainly Magento and WooCommerce websites. The websites were directly exploited, and the malicious code snippet was added to one of their “first-party resources.”

In this campaign, the recurring targets are large organizations from the retail and food sectors. The attack is divided into three parts, making it a challenge for researchers and scanning tools to detect it. Moreover, it helps activate the attack in full flow on the targeted pages.

Lvovsky explained that Magecart attacks involve exploiting vulnerabilities in targeted websites or in third-party services used by those websites to deploy skimming malware on their payment pages. Once the loader gets executed, the malware sends a fetch request to a relative path “/icons” that doesn’t exist, and the request leads to the 404 Not Found Error.

“Upon analysis of the HTML returned in the response, it seemed like the default 404 page of the website. This was confusing and made us wonder if the skimmer was no longer active on the victim websites we found.”

Roman Lvovsky – Akamai

Tip: How to check for websites hacked to run web skimming, magecart attack

Further probing revealed a regex match in the loader for the COOKIE_ANNOT string in the HTML of the error 404 page, and a lengthy Base64-encoded string was next to it, which contained the obfuscated JavaScript attack code. 

What happens is that the loader extracts the string from the comment to decode and then executes the attack. When the JavaScript skimmer gets activated, a fake checkout form is displayed, and visitors are prompted to enter sensitive data, including credit card details, expiration date, and security code. A fake Session Timeout error follows this while the exfiltrated data is transferred to a remote server through an image request URL disguised as an image fetch event to evade detection by network traffic monitoring services.

When researchers simulated more requests to that path, all returned the same error page containing the malicious code. This means the attackers could modify the default error page for the website and successfully inject the malicious code.

Akamai detected two more variants of this attack. One hides the malicious code in an inappropriately formatted HTML image tag with an onerror attribute. The other hides the code in an inline script disguised as Meta Pixel code, a popular Facebook visitor activity tracking service.

A Magecart attack involves adding malicious code into e-comm websites to steal users’ personal and financial data. End-users must remain vigilant when entering data on websites. It is essential to keep website plugins and software up-to-date and filter out malicious traffic with a web application firewall. Lastly, implement CSP (content security policy) to restrict the types of scripts websites can execute.

  1. 100s of schools at risk after Magecart attack on Wisepay
  2. Major Magecart skimming attack hits 8 local US government sites
  3. Magecart hackers launched largest ever attack against Magento stores
  4. Lazarus hackers use Magecart attack to steal card data from EU, US sites
  5. Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions

[ad_2]
Source link

This premium Anker charger cable is half off for Prime Day

0
[ad_1]

You need to keep your devices charged, and premium chargers are the best option. Anker is one of the top companies for charger cables, and the Anker 765 USB-C to USB-C Cable is 57% off for Amazon Prime Day.

This might be a much more important deal now that the iPhone 15 series uses USB-C. Sure, you can buy USB-C cables from Apple, but there are a ton of options open to you. The Anker 765 USB-C Cable is an extremely sturdy cable that will resist tearing or breaking more than traditional chargers. It’s thick and it has a woven material protecting it.

As for the power delivery, it can offer up to 240W of power. That doesn’t mean that using it will boost the power delivered to 240W, however. It means that if you plug in a 240W charger, and the device can take 240W of power, then it will be able to deliver that power. So, if you’re using this cord to charge your computer, you won’t need to worry about charging speeds.

This cable is more than powerful enough to charge your MacBook, iPad, Chromebook, and other devices. Obviously, it will get your phone charged up as well.

As for the durability, this cord is built to last. This charger cord is built to survive 35,000 bends. This means that you can use it for the long run.

Along with this cord, you can also check out the Anker Prime 100W USB-C Charger, which is also discounted for Prime Day. It’s $55.99, down from $84.88. This is a GaN charger that can deliver up to 100W of power.

You can also get the Anker Prime 67W Wall Charger. It’s $37.99, down from $59.99. This one will still get you a decent 67W of power.

Anker 765 USB-C to USB-C Cable – Amazon


[ad_2]
Source link

3 Zero-days and 100+ vulnerabilities Fixed in Microsoft Update

0
[ad_1]

Microsoft has published its October security patches in which over 100 vulnerabilities were fixed in multiple Microsoft products, including Windows 10, Windows 11, Windows Server, Microsoft Office, Skype, and other major Microsoft products.

As per the security patch report, 45 Remote code execution vulnerabilities contributed to 400+ affected Microsoft products. However, only 12 of these 45 critical vulnerabilities were marked as “Critical” by Microsoft.

Apart from these 45 Remote Code Execution Vulnerabilities, there were 26 Elevation of Privilege Vulnerabilities, 17 Denial of Service Vulnerabilities, 12 Information Disclosure Vulnerabilities, 3 Security Feature Bypass Vulnerabilities, and 1 Spoofing Vulnerability addressed.

Document
FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Three Actively exploited Zero-days

In addition to this, Microsoft also released patches for three actively exploited Zero-day vulnerabilities, which affect Skype (CVE-2023-41763), WordPad (CVE-2023-36563), and an HTTP/2 Rapid Reset attack (CVE-2023-44487). 

CVE-2023-41763: Skype – Privilege Escalation

A threat actor can exploit this particular vulnerability by making a specially crafted network call to the target Skype for Business server, which leads to the parsing of an HTTP request made to an arbitrary address, resulting in the disclosure of IP addresses or port numbers or both to the threat actor. The severity for this vulnerability has been given as 5.3 (Medium).

“While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).” reads the advisory by Microsoft.

CVE-2023-36563: WordPad – Information Disclosure Vulnerability

This vulnerability can be exploited by a threat actor, allowing NTLM hashes to be disclosed. However, this vulnerability has a prerequisite requiring the threat actor to log on to the system first.

After this, the threat actor can run a specially crafted application that could exploit this vulnerability and take control of the affected system. The severity of this vulnerability has been given as 6.5 (Medium).

Microsoft security advisory states, “An attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.” 

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

This particular vulnerability uses the HTTP/2 stream cancellation feature, which resets the many streams quickly. Furthermore, this vulnerability leads to a Denial-of-Service condition on affected servers or applications. This vulnerability was discovered to be exploited in the wild from August through October 2023. The severity of this vulnerability is being analyzed.

Moreover, this vulnerability was addressed collaboratively by Cloudflare, Amazon, and Google. Microsoft also stated that CVE-2023-41763 and CVE-2023-36563 were publicly disclosed.

Users of the affected Microsoft products mentioned in the security advisory are advised to upgrade to the latest versions of the software released in order to prevent the vulnerabilities from getting exploited. 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


[ad_2]
Source link