The researchers conducted several scans of the Internet for installations containing a number of dangerous vulnerabilities.
2020 was a record year for the number of disclosed vulnerabilities (18,352), and this year their number is likely to increase – as of September 1, this figure has already reached 13,002 vulnerabilities. At the same time, 20% of problems are rated as high-severity vulnerabilities on the NVD scale. Considering the speed with which cybercriminals are adopting new vulnerabilities, the specialists of the information security company Trustwave decided examine how quickly organizations install patches.
Researchers conducted several scans of the Internet (July 22, August 16 and 31) for installations containing a number of dangerous vulnerabilities affecting MS Exchange Server (ProxyShell and ProxyToken), Apache Tomcat, VMware vCenter, Pulse Connect (authentication bypass), F5 BIG-IP , QNAP QTS, MS Exchange Server (ProxyLogon) and Oracle WebLogic Server.
The results were disappointing. For example, Microsoft fixed the ProxyShell and ProxyToken vulnerabilities in May and April of this year, respectively, and detailed information about them appeared in July. However, as of August 31, there were approximately 45,000 MS Exchange installations on the Web that were vulnerable to ProxyShell, that is, 21.17% of servers were not updated, the researchers noted. The highest rates were observed in the United States (23.1% of vulnerable servers), Germany (18.69%), the United Kingdom (6.09%), France (5.14%) and Italy (4.18%).
A similar situation was observed in the case of other vulnerabilities. As of August 31st, more than half (57%) of Apache Tomcat installations remained vulnerable, although the Apache developers released a patch on July 12th. Interestingly, 41% of installations were running on more unsupported versions of Apache Tomcat (8.5 and below).
Vmware has released patches that fix the vulnerabilities CVE-2021-21985 and CVE-2021-21986 in the vCenter Server management solution on May 25 this year. A week after the release of updates, there were more than 80% of vulnerable servers on the Web, and in three months their number decreased by only 30%.
There are many reasons why companies and organizations are delays in applying patches and updates, but remember that cybercriminals use the same research techniques (such as Shodan and other Internet scanning tools) as information security experts. That is, every vulnerable server that researchers find can just as well be detected by attackers.
“It is imperative that organizations proactively identify vulnerabilities and fix them. It is vital to conduct ongoing audits of assets, especially those that are accessible over the Internet. As a rule, exploits for critical vulnerabilities appear in the interval from less than a day to a month, and it is important that organizations constantly monitor, track and update assets, ”the experts noted.
Chinese TikTok adds 5-second pauses between videos to combat addictions
5-second warning clips will remind you to “put the phone away” or “go to bed”.
Douyin, the Chinese app “twin” of TikTok, owned by the same ByteDance company, is introducing measures to combat its own algorithms, tuned to keep users’ attention as long as possible. Now those who “stick” in the application for too long will be revived by forced pauses between clips. Reported by the South China Morning Post.
On the social network, there are five-second pauses between videos that cannot be missed. During such pauses, users will be forced to watch videos reminding them of the need to “put the phone away”, “go to bed” or that “work tomorrow”. They will appear when the user spends too much time in the application.
Previously, Douyin had already limited video viewing – then the changes affected the children’s audience. Teenagers under 14 were allowed to watch videos for a maximum of 40 minutes a day, and were also banned from entering the application from 10 pm to 6 am.
Trump’s social network developers accused of illegal use of program code
The Software Freedom Conservancy claims Trump Media and Technology Group copied the open source code of the decentralized social network Mastodon, created a new social network based on it.
The Software Freedom Conservancy (SFC), a not-for-profit organization that enforces the rights of open source software developers and the rules for using open licenses, accused in violation of the AGPLv3 license of the Trump social network developers Truth Social.
The Software Freedom Conservancy says that the developers of the service used the open source code of the decentralized social network Mastodon in violation of the license agreement.
Although the Mastodon code is free and free, the projects using it must comply with the terms of the Affero General Public License (or AGPLv3), among which is the mandatory availability of the project source code for all its users. Trump’s media company does not yet provide such an opportunity to TRUTH Social users and calls the social network a proprietary development.
The Software Freedom Conservancy gave Trump Media and Technology Group 30 days to improve, writes The Verge. Otherwise, the use of open source Mastodon will be prohibited for the company.
Facebook end-to-end encryption will give foreign intelligence services surveillance capabilities
Former Facebook employee Frances Haugen criticized the company’s decision to transfer correspondence in its services to end-to-end encryption.
The introduction of end-to-end encryption in Facebook messengers could negatively affect the privacy of users and lead to increased surveillance by intelligence agencies. This opinion was expressed by a former employee of Mark Zuckerberg’s company, Frances Haugen, reports TASS.
According to her, after the launch of encryption in the Messenger application and the social network Instagram, which are owned by Facebook, the company will lose the ability to track possible “malicious operations of special services representatives.” “End-to-End Encryption Will Allow Facebook to Eliminate [от модерирования контента] and serve as an excuse for inaction, “Haugen said ahead of her October 25 speech in the British Parliament as part of discussions on online security bill.
The social network itself does not agree with this point of view. In their opinion, the introduction of end-to-end encryption in Facebook Messenger and Instagram applications, on the contrary, is aimed primarily at protecting the privacy of users and will protect them not only from foreign surveillance, but also from hackers.
Adata overclocked DDR5 RAM to 8118 MT / s
Adata proudly shared the result of overclocking DDR5 memory: the company’s specialists managed to achieve a speed of 8118 MT...
Tesla Model 3 is the fastest selling electric car in the world
Tesla Model 3 has already won many titles and titles in the automotive world, and then another one arrived in...
Modern hybrid crossover with 245 hp. with two large screens, acceleration to 60 km / h in 3.7 seconds and a consumption of 4.9 liters per 100 km for $ 21,750. Haval H6S sales start in China
Haval has announced the start of pre-orders for the new H6S crossover in China. The cost starts at $ 21,750,...
Chinese TikTok adds 5-second pauses between videos to combat addictions
5-second warning clips will remind you to “put the phone away” or “go to bed”. Douyin, the Chinese app “twin”...
Security5 days ago
Acer was cyberattacked for the second time in a week
Software5 days ago
What Google was silent about at the presentation of the Google Pixel 6 and Pixel 6 Pro: the new flagships did not receive unlimited space in Google Photos
Electric Cars6 days ago
Tesla has tensed: Foxconn unveils three “model” Foxtron electric vehicles – sedan, crossover and bus
Wearables6 days ago
1.3-inch AMOLED screen, heart rate and SpO2 sensors, waterproof and NFC, 110 training modes and a week of battery life for $ 95. Realme T1 smartwatch presented