Pnuel Solutions

19/05/2020

Undoubtedly, COVID-19 has brought a global crisis and businesses have not been spared. It is therefore necessary we sharpen our sense of recognition to identify opportunities and learn requisite strategies needed to succeed in the new normal. This training promises to make you understand the *'HOW'* of business success during and beyond crisis. Register today by clicking https://tinyurl.com/ATP2SM1

31/08/2019

How about a giveaway?

04/05/2019

Wao first Alpha bay now this.. all this market are gone, Thanks to God Our world is becoming safer

Europol Shuts Down Two Major Illegal 'Dark Web' Trading Platforms
May 03, 2019**Credit to Wang Wei (THN)**
dark web market
Europol announced the shut down of two prolific dark web marketplaces—Wall Street Market and Silkkitie (also known as Valhalla)—in simultaneous global operations against underground websites for trading drugs, stolen credit card numbers, malicious software, and other illegal goods.

Police in western Germany has also arrested three men who were allegedly running Wall Street Market, the world's second largest dark marketplace with more than a million users and 5,400 vendors.

Besides this, the operation involving Europol, Dutch police and the FBI also led to the arrests of two major suppliers of narcotics via the Wall Street Market site in Los Angeles, the United States.

According to the Europol, the police officers seized the computers used to run the illegal market place, along with more than €550 000 (£472,000 or $621,000) in cash, more than €1 Million in Bitcoin and Monero cryptocurrencies, expensive cars, and other evidence.
wall street market dark web
In a press release published today, Europol also revealed that Finnish authorities shut down the Silkkitie marketplace earlier this year, which was operating since 2013 on The Onion Router (Tor) network and was "one of the oldest and internationally best-known Tor trade sites."

Based on the findings of the investigation, Finnish Customs also seized a significant amount of Bitcoin, following the shut down of Silkkitie, known as the Valhalla Marketplace.

"After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market," Europol says.

According to the press release, over 63,000 sales offers were placed on the Wall Street Market most recently, and over 1.1 million customer accounts and more than 5,400 sellers were registered. The site's administrators charged 2 to 6% commission on sales.

The Department of justice today charged the three men arrested in Germany with two felony counts—conspiracy to launder monetary instruments and distribution, and conspiracy to distribute controlled substances.

According to the DoJ, the Wall Street Market administrators allegedly conducted an "exit scam" last month when they took all of the virtual currency held in marketplace—believed by investigators to be approximately $11 million—and then transferred it to their own accounts.

The operation was conducted in cooperation with German Federal Criminal Police (Bundeskriminalamt), the Dutch National Police (Politie), Europol, Eurojust, and various US government agencies, including Drug Enforcement Administration, FBI, Internal Revenue Service, Homeland Security, US Postal Inspection Service, and the US Department of Justice.
Have something to say about this article? Comment below or share it

04/05/2019

Europol Shuts Down Two Major Illegal 'Dark Web' Trading Platforms
May 03, 2019**Credit to Wang Wei (THN)**
dark web market
Europol announced the shut down of two prolific dark web marketplaces—Wall Street Market and Silkkitie (also known as Valhalla)—in simultaneous global operations against underground websites for trading drugs, stolen credit card numbers, malicious software, and other illegal goods.

Police in western Germany has also arrested three men who were allegedly running Wall Street Market, the world's second largest dark marketplace with more than a million users and 5,400 vendors.

Besides this, the operation involving Europol, Dutch police and the FBI also led to the arrests of two major suppliers of narcotics via the Wall Street Market site in Los Angeles, the United States.

According to the Europol, the police officers seized the computers used to run the illegal market place, along with more than €550 000 (£472,000 or $621,000) in cash, more than €1 Million in Bitcoin and Monero cryptocurrencies, expensive cars, and other evidence.
wall street market dark web
In a press release published today, Europol also revealed that Finnish authorities shut down the Silkkitie marketplace earlier this year, which was operating since 2013 on The Onion Router (Tor) network and was "one of the oldest and internationally best-known Tor trade sites."

Based on the findings of the investigation, Finnish Customs also seized a significant amount of Bitcoin, following the shut down of Silkkitie, known as the Valhalla Marketplace.

"After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market," Europol says.

According to the press release, over 63,000 sales offers were placed on the Wall Street Market most recently, and over 1.1 million customer accounts and more than 5,400 sellers were registered. The site's administrators charged 2 to 6% commission on sales.

The Department of justice today charged the three men arrested in Germany with two felony counts—conspiracy to launder monetary instruments and distribution, and conspiracy to distribute controlled substances.

According to the DoJ, the Wall Street Market administrators allegedly conducted an "exit scam" last month when they took all of the virtual currency held in marketplace—believed by investigators to be approximately $11 million—and then transferred it to their own accounts.

The operation was conducted in cooperation with German Federal Criminal Police (Bundeskriminalamt), the Dutch National Police (Politie), Europol, Eurojust, and various US government agencies, including Drug Enforcement Administration, FBI, Internal Revenue Service, Homeland Security, US Postal Inspection Service, and the US Department of Justice.
Have something to say about this article? Comment below or share it

01/05/2019

DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days
May 01, 2019**Credit to Mohit Kumar**
CISA critical vulnerabilities

In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations.

The United States Department of Homeland Security (DHS) has ordered government agencies to more swiftly plug the critical security vulnerabilities found on their networks within 15 calendar days since the initial detection, a reduction from 30 days.

DHS's Cybersecurity and Infrastructure Security Agency (CISA) this week issued a new Binding Operational Directive (BOD) 19-02 instructing federal agencies and departments to address "critical" rated vulnerabilities within 15 days and "high" severity flaws within 30 days of initial detection.

The countdown to patch a security vulnerability will start when it was initially detected during CISA's weekly Cyber Hygiene vulnerability scanning, rather than it was the first report to the affected agencies.

"As federal agencies continue to expand their Internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems," reads the memo from CISA Director Chris Krebs.

"Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities."

Therefore, to minimize the risk of unauthorized access to any federal information internal system and reduce the overall attack surface, the CISA wants government agencies to review and remediate critical vulnerabilities on Internet-facing systems before hackers and cybercriminals exploit them.

The recently created CISA agency provides regular reports to the federal agencies on Cyber Hygiene scanning results and current status, informing them of the detected vulnerabilities, classified based on their CVSSv2 score.

Agencies who do not complete their remediation within the allotted time period, CISA will send an additional reminder to agencies, asking them to submit the complete remediation plan within three working days to CISA.

BOD 19-02 replaces BOD 15-01—Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies' Internet-Accessible Systems (May 21, 2015)—which gave federal agencies 30 days to patch critical vulnerabilities.

This is the second BOD that CISA has released this year. Following a series of DNS hijacking incidents, the agency issued an "emergency directive" earlier this year, ordering federal agencies to audit DNS records for their respective website domains and other agency-managed domains within 10 days.

Have something to say about this article? Comment below or share it

30/04/2019

Unprotected Database Exposes Personal Info of 80 Million American Households
April 30, 2019credit to Wang Wei (thn)
america personal data leak
A team of security researchers has claims to have found a publicly-accessible database that exposes information on more than 80 million U.S. households—nearly 65 percent of the total number of American households.

Discovered by VPNMentor's research team lead by hacktivists Noam Rotem and Ran Locar, the unsecured database includes 24GB of extremely detailed information about individual homes, including their full names, addresses, ages, and birth dates.

The massive database which is hosted on a Microsoft cloud server also contains coded information noted in "numerical values," which the researchers believe correlates to homeowners' gender, marital status, income bracket, status, and dwelling type.

Fortunately, the unprotected database does not contain passwords, social security numbers or payment card information related to any of the affected American households.

The researchers verified the accuracy of some data in the cache, but they did not download the complete data in order to minimize the invasion of privacy of the affected ones.

The research team discovered the database accidently while running a web mapping project using port scanning to examine known IP blocks in order to find holes in web systems, which they then examine for weaknesses and data leaks.

Usually, the team alerts the database owner to report the leak so that the affected company could protect it, but in this case, the researchers were unable to identify the owner of the database.

"Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to," the team says in a blog post. "It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner."

The unsecured Database was online until Monday and required no password to access, which has now been taken offline.

Since each entry in the database ends with 'member_code' and 'score' and no one listed is under the age of 40, the researchers suspect the database could be owned by insurance, healthcare, or mortgage company.

However, information like policy or account numbers, social security numbers, and payment types is missing from the database that someone may expect to find in a database owned by brokers or banks.

The researchers then called on the public on Monday to help them identify who might own the database in question so that it can be secured.

Though the database did not expose sensitive card information or SSNs, the disclosed data is enough to be concerned about identity theft, fraud, phishing scams, and even home invasion.

Rotem is the same security researcher who earlier this year found a severe vulnerability in the popular Amadeus online flight ticket booking system that could have allowed remote hackers to view and modify travel details of millions of major international airlines' customers and even claim their frequent flyer miles.

Have something to say about this article? Comment below or share it

28/04/2019

Wao, My beloved facebook, my beloved Mark

New York, Canada, Ireland Launch New Investigations Into Facebook Privacy Breaches
April 27, 2019***Credit to Swati Khandelwal***
facebook privacy investigation fine
Facebook has a lot of problems, then there are a lot of problems for Facebook—and both are not going to end anytime sooner.

Though Facebook has already set aside $5 billion from its revenue to cover a possible fine the company is expecting as a result of an FTC investigation over privacy violations, it seems to be just first installment of what Facebook has to pay for continuously ignoring users' privacy.

This week, Facebook has been hit with three new separate investigations from various governmental authorities—both in the United States and abroad—over the company's mishandling of its users' data.

New York Attorney General to Investigate Facebook Email Collection Scandal

New York Attorney General is opening an investigation into Facebook's unauthorized collection of the email contacts of more than 1.5 million users during site registration without their permission.

Earlier this month, Facebook was caught practicing the worst ever user-verification mechanism by asking users new to its social network platform for their email account passwords to verify their identity.

However, just last week it turned out that the social network "unintentionally" uploaded email contacts from up to 1.5 million new users on its servers, without their consent or knowledge, Facebook admitted while saying the data was reportedly used to "build Facebook's web of social connections and recommend friends to add."

According to the New York Attorney General Letitia James, the harvested email addresses may have exposed hundreds of millions of Facebook users to targeted advertisements.

"Facebook has repeatedly demonstrated a lack of respect for consumer information while at the same time profiting from mining that data," James said in a statement, adding that now it's time that the social media company should "held accountable for how it handles consumers' personal information."

In response to the news, a Facebook spokesperson told The NY Times that the company is "in touch with the New York State attorney general's office and are responding to their questions on this matter."

Ireland Investigating into Facebook Over Plaintext Passwords Scandal

The Irish Data Protection Commission had begun an investigation into a separate Facebook's privacy bunder exposed last month when the social network revealed that it left hundreds of millions of passwords of Facebook, Facebook Lite and Instagram users exposed in plain text on company servers.

At the time, it was reported that the incident exposed "tens of thousands" passwords of Instagram users in plaintext, while just last week it was revealed that the actual number of affected Instagram users were not in hundreds of thousands but millions.

The exposed passwords were potentially dated back to 2012 and were accessible to up to 2,000 Facebook employees.

In a statement on Thursday, the Irish Data Protection Commissioner said it has launched "a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions" of the European Union's General Data Protection Regulation (GDPR) designed to protect people's data.

Canada to Sue Facebook Over Cambridge Analytica Scandal

Canadian regulators are also suing Facebook for allegedly violating the country's privacy laws following their investigation into the March 2018's Cambridge Analytica scandal and its impact on Canadians.

A joint report published Thursday from Canadian privacy commissioner Daniel Therrien and his British Columbia counterpart said lax security practices at the company allowed personal information of hundreds of thousands of Canadians to be used for political purposes.

The watchdogs started investigating Facebook last year after it was revealed that a UK political consultancy Cambridge Analytica harvested data from about 87 million users and then used it for political gain without their knowledge or permission.

The report said Facebook committed a "major breach of trust" and "abdicated its responsibility for personal information under its control, effectively shifting that responsibility to users and apps."

The United States FTC is also investigating Facebook over the Cambridge Analytica scandal, and the company has already kept aside $5 billion from its revenue in anticipation of the settlement with the commission.

Have something to say about this article? Comment below or share it

28/04/2019

New York, Canada, Ireland Launch New Investigations Into Facebook Privacy Breaches
April 27, 2019***Credit to Swati Khandelwal***
facebook privacy investigation fine
Facebook has a lot of problems, then there are a lot of problems for Facebook—and both are not going to end anytime sooner.

Though Facebook has already set aside $5 billion from its revenue to cover a possible fine the company is expecting as a result of an FTC investigation over privacy violations, it seems to be just first installment of what Facebook has to pay for continuously ignoring users' privacy.

This week, Facebook has been hit with three new separate investigations from various governmental authorities—both in the United States and abroad—over the company's mishandling of its users' data.

New York Attorney General to Investigate Facebook Email Collection Scandal

New York Attorney General is opening an investigation into Facebook's unauthorized collection of the email contacts of more than 1.5 million users during site registration without their permission.

Earlier this month, Facebook was caught practicing the worst ever user-verification mechanism by asking users new to its social network platform for their email account passwords to verify their identity.

However, just last week it turned out that the social network "unintentionally" uploaded email contacts from up to 1.5 million new users on its servers, without their consent or knowledge, Facebook admitted while saying the data was reportedly used to "build Facebook's web of social connections and recommend friends to add."

According to the New York Attorney General Letitia James, the harvested email addresses may have exposed hundreds of millions of Facebook users to targeted advertisements.

"Facebook has repeatedly demonstrated a lack of respect for consumer information while at the same time profiting from mining that data," James said in a statement, adding that now it's time that the social media company should "held accountable for how it handles consumers' personal information."

In response to the news, a Facebook spokesperson told The NY Times that the company is "in touch with the New York State attorney general's office and are responding to their questions on this matter."

Ireland Investigating into Facebook Over Plaintext Passwords Scandal

The Irish Data Protection Commission had begun an investigation into a separate Facebook's privacy bunder exposed last month when the social network revealed that it left hundreds of millions of passwords of Facebook, Facebook Lite and Instagram users exposed in plain text on company servers.

At the time, it was reported that the incident exposed "tens of thousands" passwords of Instagram users in plaintext, while just last week it was revealed that the actual number of affected Instagram users were not in hundreds of thousands but millions.

The exposed passwords were potentially dated back to 2012 and were accessible to up to 2,000 Facebook employees.

In a statement on Thursday, the Irish Data Protection Commissioner said it has launched "a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions" of the European Union's General Data Protection Regulation (GDPR) designed to protect people's data.

Canada to Sue Facebook Over Cambridge Analytica Scandal

Canadian regulators are also suing Facebook for allegedly violating the country's privacy laws following their investigation into the March 2018's Cambridge Analytica scandal and its impact on Canadians.

A joint report published Thursday from Canadian privacy commissioner Daniel Therrien and his British Columbia counterpart said lax security practices at the company allowed personal information of hundreds of thousands of Canadians to be used for political purposes.

The watchdogs started investigating Facebook last year after it was revealed that a UK political consultancy Cambridge Analytica harvested data from about 87 million users and then used it for political gain without their knowledge or permission.

The report said Facebook committed a "major breach of trust" and "abdicated its responsibility for personal information under its control, effectively shifting that responsibility to users and apps."

The United States FTC is also investigating Facebook over the Cambridge Analytica scandal, and the company has already kept aside $5 billion from its revenue in anticipation of the settlement with the commission.

Have something to say about this article? Comment below or share it

26/04/2019

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension
April 26, 2019**credit to Swati Khandelwal**
wordpress woocommerce security plugin
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.

A WordPress security company—called "Plugin Vulnerabilities"—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

To be clear, the reported unpatched vulnerability doesn't reside in the WordPress core or WooCommerce plugin itself.

Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites.

The vulnerability in question is an "arbitrary file upload" issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have "Categorize Uploaded Files" option enabled within WooCommerce Checkout Manager plugin settings.

"From the more technical aspect, vulnerability occurs inside 'includes/admin.php' file at line 2084 on which application is moving given files to a directory using 'move_uploaded_file' without prior proper check for allowed files," explains a blog post published Thursday by web application security platform WebARX, who warned their users after Plugin Vulnerabilities made the flaw public.

If exploited, the flaw could allow attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.
wordpress woocommerce security plugin
WooCommerce Checkout Manager version 4.2.6, which is the latest available plugin at the time of writing, is vulnerable to this issue.

If your WordPress website is using this plugin, you are advised to either disable "Categorize Uploaded Files" option in the setting or disable the plugin completely until a new patched version becomes available.

This is not the first time when the company called Plugin Vulnerabilities inappropriately disclosed an unpatched flaw in the public.

The company has continuously been disclosing vulnerabilities in various WordPress plugins since after they had issues with the WordPress forum moderators.

Since at least past two years the team behind Plugin Vulnerabilities has deliberately been releasing details of newly discovered vulnerabilities directly on the WordPress Support forum, instead of reporting them to the respective plugin authors directly, violating the forum’s rules.

In response to this inappropriate behavior, the WordPress.org moderators eventually blacklisted Plugin Vulnerabilities from their official forum after multiple warnings and banning all their accounts.

However, this did not stop Plugin Vulnerabilities, who since then started disclosing details of new, unpatched WordPress plugin vulnerabilities on their own website, putting the whole ecosystem, websites and their users at risk.

Have something to say about this article? Comment below or share it

25/04/2019

'Highly Critical' Unpatched Zero-Day Flaw Discovered In Oracle WebLogic
April 25, 2019**credit to Mohit Kumar of THN**
oracle weblogic server vulnerability
A team of cybersecurity researchers today published a post warning enterprises of an unpatched, highly critical zero-day vulnerability in Oracle WebLogic server application that some attackers might have already started exploiting in the wild.

Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud. It's popular across both, cloud environment and conventional environments.

Oracle WebLogic application reportedly contains a critical deserialization remote code ex*****on vulnerability that affects all versions of the software, which can be triggered if the "wls9_async_response.war" and "wls-wsat.war" components are enabled.

The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.

oracle weblogic server vulnerability

"Since the WAR package has a defect in deserializing the input information, the attacker can obtain the authority of the target server by sending a carefully constructed malicious HTTP request, and execute the command remotely without authorization," explains Chinese National Information Security Vulnerability Sharing Platform (CNVD).

The researchers also shared details of the zero-day vulnerability, tracked as CNVD-C-2019-48814, with the Oracle's team, but the company has not yet released a patch. The affected Oracle WebLogic versions are as follows:

WebLogic 10.X
WebLogic 12.1.3

According to the ZoomEye cyberspace search engine, more than 36,000 WebLogic servers are publicly accessible on the Internet, though it's unknown how many of these have the vulnerable components enabled.

A maximum number of Oracle WebLogic servers are deployed in the United States and China, with a lesser number in Iran, Germany, India, and so on.
oracle weblogic server vulnerability
Since Oracle releases security updates every three months and had already released a Critical Patch Update just this month, this zero-day issue is unlikely to be patched anytime soon (i.e., not before July), unless the company decides to roll out an out-of-band security update.

So, until the company releases an update to patch the vulnerability, server administrators are highly recommended to prevent their systems from exploitation by changing either of the two following settings:

Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or
Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

Since Oracle WebLogic servers are an often target of attackers, there will be no surprise if attackers have already started exploiting this zero-day and then use vulnerable servers for their nefarious purposes.

Have something to say about this article? Comment below

25/04/2019

Facebook Could Be Fined Up To $5 Billion Over Privacy Violations
April 25, 2019 credit to Mohit Kumar (THN)**
facebook fine ftc cambridge analytica
Facebook expects to face a massive fine of up to $5 billion from the Federal Trade Commission (FTC) as the result of an investigation into its privacy policies—that's about one month's revenue for the social media giant.

To be clear the amount of fine is not what the FTC has announced or hinted yet; instead, it's an estimated due that Facebook disclosed on Wednesday in its first quarter 2019 financial earnings report.

In its earnings report, Facebook said the company had set $3 billion aside in anticipation of the settlement with the FTC, who launched a probe into Facebook following the Cambridge Analytica scandal.

The probe centers around the violation of a 2011 agreement Facebook made with the FTC that required the social media to gain explicit consent from users to share their data.

The FTC launched an investigation into Facebook last year after it was revealed that the company allowed Cambridge Analytica access to the personal data of around 50 million Facebook users without their explicit consent.

Now, both parties are nearing a settlement, with Facebook anticipating the fine to between $3 billion and $5 billion.

"In the first quarter of 2019, we reasonably estimated a probable loss and recorded an accrual of $3.0 billion in connection with the inquiry of the FTC into our platform and user data practices," Facebook said in its earnings report.

"We estimate that the range of loss in this matter is $3.0 billion to $5.0 billion. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome," Facebook noted.

If Facebook agrees, the fine will be a record for the FTC, which has never imposed such a massive fine on any tech company till the date and represents one month's revenue for the social media giant.

UK's Information Commissioner Office (ICO) has also imposed £500,000 fine on Facebook over the Cambridge Analytica scandal.

The FTC fine on Facebook will also surpass the $22.5 million civil penalties Google paid in 2012 to settle FTC charges for allegedly violating an agreement to improve privacy practices.

Despite all criticisms Facebook have recently faced over its mishandling of users' data, Facebook earning and the user base is continually increasing, with the company bringing in more than $15 billion in revenue the first quarter of 2019 alone. It also added 39 million daily active users to its platform.
Have something to say about this article? Comment below or share