Nov 12, 2024Ravie LakshmananVirtualization / VulnerabilityCybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE)The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes.Particularly, the vulnerability exploits the "combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE," security researcher Sina Kheirkhah said.The vulnerability details are listed below -CVE-2024-8068 (CVSS score: 5.1) - Privilege escalation to NetworkService Account accessCVE-2024-8069 (CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account accessHowever, Citrix noted that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. The defects have been addressed in the following versions -Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16It's worth noting that Microsoft has urged developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter has been removed from .NET 9 as of August 2024."BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category," the tech giant notes in its documentation. "As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution."At the heart of the problem is the Session Recording Storage Manager, a Windows service that manages the recorded session files received from each computer that has the feature enabled.While the Storage Manager receives the session recordings as message bytes via the Microsoft Message Queuing (MSMQ) service, the analysis found that a serialization process is employed to transfer the data and that the queue instance has excessive privileges.To make matters worse, the data received from the queue is deserialized using BinaryFormatter, thereby allowing an attacker to abuse the insecure permissions set during the initialization process to pass specially crafted MSMQ messages sent via HTTP over the internet."We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization," Kheirkhah said, detailing the steps to create an exploit. "The 'cherry on top' is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP.""This combo allows for a good old unauthenticated RCE," the researcher added.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 12, 2024Ravie LakshmananEmail Security / Threat IntelligenceCybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users.The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes."Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," the threat actor claimed in their post. "GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient."SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials."Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities," the company said.A custom build of GoIssue is available for $700. Alternatively, purchasers can gain complete access to its source code for $3,000. As of October 11, 2024, the prices have been slashed to $150 and $1,000 for the custom build and the full source code for "the first 5 customers."In a hypothetical attack scenario, a threat actor could use this method to redirect victims to bogus pages that aim to capture their login credentials, download malware, or authorize a rogue OAuth app that requests for access to their private repositories and data.Another facet of cyberdluffy that bears notice is their Telegram profile, where they claim to be a "member of Gitloker Team." Gitloker was previously attributed to a GitHub-focused extortion campaign that involved tricking users into clicking on a booby-trapped link by impersonating GitHub's security and recruitment teams.The links are sent within email messages that are triggered automatically by GitHub after the developer accounts are tagged in spam comments on random open issues or pull requests using already compromised accounts. The fraudulent pages instruct them to sign in to their GitHub accounts and authorize a new OAuth application to apply for new jobs.Should the inattentive developer grant all the requested permissions to the malicious OAuth app, the threat actors proceed to purge all the repository contents and replace them with a ransom note that urges the victim to contact a persona named Gitloker on Telegram."GoIssue's ability to send these targeted emails in bulk allows attackers to scale up their campaigns, impacting thousands of developers at once," SlashNext said. "This increases the risk of successful breaches, data theft, and compromised projects."The development comes as Perception Point outlined a new two-step phishing attack that employs Microsoft Visio (.vdsx) files and SharePoint to siphon credentials. The email messages masquerade as a business proposal and are sent from previously breached email accounts to bypass authentication checks."Clicking the provided URL in the email body or within the attached .eml file leads the victim to a Microsoft SharePoint page hosting a Visio (.vsdx) file," the company said. "The SharePoint account used to upload and host the .vdsx files is often compromised as well."Present within the Visio file is another clickable link that ultimately leads the victim to a fake Microsoft 365 login page with the ultimate goal of harvesting their credentials."Two-step phishing attacks leveraging trusted platforms and file formats like SharePoint and Visio are becoming increasingly common," Perception Point added. "These multi-layered evasion tactics exploit user trust in familiar tools while evading detection by standard email security platforms."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The company -- taking direct aim at OpenAI, Anthropic, and other incumbents in the GenAI arms race -- plans to use the funding to fuel its agentic AI efforts.

Lisa Morgan, Freelance WriterNovember 12, 20246 Min ReadDragos Condrea via Alamy StockSoftware development is an ever-changing landscape. Over the years, it has become easier to generate high-quality code faster, though the definition of faster is a moving target.Take low-code tools, for example. With them, developers can build most of the functionality they need with the platform, so they only need to write the custom code the application requires. Low-code tools have also democratized software development -- particularly with the addition of AI.GenAI is accelerating development even further, and its changing the way developers think about code.Siddharth Parakh, senior engineering manager at Medable, expects Ai to revolutionize productivity.The ability for AI to automate repetitive tasks, refactor code and even generate solutions from scratch would allow developers to focus on higher-order problem-solving and strategic design decisions, says Parakh in an email interview. With AI handling routine coding, developers could become orchestrators of complex systems rather than line-by-line authors of software.But theres a catch: Currently, AI-generated code cannot fully replace human intuition in areas such as creative problem solving, contextual understanding, and domain-specific decision-making. Also, AI models are only as good as the data they are trained on, which can lead to bias issues, error propagation or unsafe coding practices, he says. Quality control, debugging, and nuanced decision-making are still areas where human expertise is necessary.Related:How AI HelpsThe operative work is automation.If AI takes over the majority of coding tasks, it would drive unprecedented efficiency and speed in software development, says Medables Parakh. Teams could iterate faster, adapt to changes more fluidly and scale projects without the traditional bottlenecks of manual coding. This could democratize software development, enabling non-experts to create functional software with minimal input.Geoffrey Bourne, co-founder of social media API company Ayrshare, says GenAI coding assistants are now an integral part of his coding.They produce lines of code which save me hours on a weekly basis. But, although the results are improving, theyre correct less than 40% of the time. You need the experience to know the code just isnt up to scratch and needs adjusting or a redo, says Bourne in an email interview. Newbie coders are starting out with these assistants at their fingertips but without the years of experience writing code their seniors have. Weve got to take this into account and not necessarily limit their access but find creative ways to inject that knowledge. You need to find a balance [between] the instant code fix with healthy experience and a critical eye.Related:The evolution of programming, especially through abstraction layers and GenAI, has significantly transformed the way Surabhi Bhargava, a machine learning tech leadat Adobe, approaches her work.GenAI has made certain aspects of development much faster. Writing boilerplate code, prototyping and even debugging is now more streamlined. Finding information across different documents is easier with AI and copilots, says Bhargava in an email interview. [Though] AI can speed things up, I now [must] critically assess AI-generated outputs. It has made me more analytical in reviewing the work produced by these systems, ensuring it aligns with my expectations and needs, particularly when handling complex algorithms or compliance-driven work.AI tools are also helping her create rapid prototypes and theyre reducing the cognitive load.I can focus more on strategic thinking, which improves productivity and gives me room to innovate, says Bhargava. Sometimes, its tempting to lean too heavily on AI for code generation or decision-making. AI-generated solutions arent always optimized or tailored for the specific needs of a project, resulting in bugs and issues in prod. [And] sometimes, it takes more time to set it up if the tools are complex to use.Related:Hands-Free Coding Still Hasnt ArrivedAt present, AI struggles with its own set of issues such as misinterpretation, hallucination and incorrect facts. Over-reliance on AI-generated code could lead to a lack of deep technical expertise in development teams.With humans less involved in the nitty-gritty of coding, we could see a decline in the essential skills needed to debug, optimize, or creatively problem-solve at a low level. Additionally, ethical and security concerns could arise as AI systems might unknowingly introduce vulnerabilities or generate biased solutions, says Parakh. Tom Taulli, author of AI-Assisted Programming: Better Planning, Coding, Testing, and Deployment has been using AI-assisted programming tools for the past couple years. This technology has had the most transformative impact by far on his work in his over 40-year work history.Whats interesting is that I approach a project in terms of natural language prompts, not coding or doing endless searchers on Google and StackOverflow. In fact, I set up a product requirements document that is a list of prompts. Then, I go through each one for the development of an application, says Taulli. These systems are far from perfect. But it only takes a few seconds to generate the code -- and this means I have more time to review it and make iterations.Taulli has been a backend developer primarily, but AI assisted programming has allowed him to do more front-end development.The funny thing is that one of the biggest drawbacks is the pace of innovation with these tools. It can be tough to keep up with the many developments, says Taulli. True, there are other well-known disadvantages, such as with security and intellectual property. Is the code being copied? Do you really own the code you create? says Taulli. However, I think one of the biggest drawbacks is the context window. Basically, the LLMs cannot understand the large codebases. This can make it difficult for sophisticated code refactoring..Another issue is the cut-off date of the LLMs. They may not have the latest packages and frameworks, but the benefits outweigh the drawbacks, he says.Tom Jauncey, head nerd at digital marketing agency Nautilus Marketing, says GenAI tools like GitHub Copilot have accelerated the coding process by letting him think about high-level architecture and design. His advice is to use AI to save time on boilerplate code and documentation.Some of the things that I had to learn were how to prompt AI tools and think critically about their output. It is important to remember that while AI is great at generative code, it doesn't always understand broader context and business requirements, says Jauncey. Thus, always cross-check the AI-generated code with official documentation. AI-powered tools ease the effort of exploring a new language or framework without having to go into syntax details.Edward Tian, CEO of GPTZero, believes its better to use GenAI to assist coding rather than relying on it entirely.Personalization is such a key aspect of coding, and GenAI sometimes just cant quite personalize things in the way you want. It can certainly create complicated code, but it just often falls short in terms of uniqueness, says Tian.Bottom LineGenAI is accelerating development by generating code quickly but beware of its limitations. While its good for writing boilerplate code and documentation, creating quick prototypes and debugging, its important to verify the outputs. Prompt engineering skills also help boost productivity.About the AuthorLisa MorganFreelance WriterLisa Morgan is a freelance writer who covers business and IT strategy and emergingtechnology for InformationWeek. She has contributed articles, reports, and other types of content to many technology, business, and mainstream publications and sites including tech pubs, The Washington Post and The Economist Intelligence Unit. Frequent areas of coverage include AI, analytics, cloud, cybersecurity, mobility, software development, and emerging cultural issues affecting the C-suite.See more from Lisa MorganNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Christmas came early for Marvelfans who dont like getting off their couch for their entertainment:Deadpool & Wolverine is now streaming at home. The biggest superhero film of the year and the only Marvel Cinematic Universe movie of 2024 is now available on Disney+.The movieaddstwo of the biggest stars from Foxs X-Men movies Ryan Reynolds Deadpool and Hugh Jackmans Wolverine to the broader MCU. In an extremely meta twist, the film sees the Fox X-Men universe targeted for deletion by the Time Variance Authority fromLoki. Its up to Reynolds Deadpool to save it by finding a Wolverine from elsewhere in the multiverse who can help him restore his timeline.On streaming, you canfreeze frame all of the movies many Marvel Easter eggs and maybe find even more referenceseveryone missed the first time around.DEADPOOL & WOLVERINEMarvelloading...READ MORE: Every Marvel Cinematic Universe Movie, Ranked From Worst to BestIve seen Deadpool & Wolverine two times already, and the second time I saw it in a theater it really cemented something for me: Hugh Jackman has to be the best superhero actor ever. As I wrote on ScreenCrush a few months ago...Jackmanswork inDeadpool & Wolverinemakes itthe perfect coda for and tribute to the FoxX-Menuniverse. So many of those films were silly, yet Jackman remained devoutly committed to the reality of Wolverines arduous psychological journey. (He also remained devoutly committed to eating nothing but brown rice and chicken for years on end to maintain the reality of Wolverines swole physique.)Deadpool & Wolverineis maybe the silliest of all theX-Menmovies intentionally so and yet Jackman gives maybe his single best performance as Wolverine in it.Deadpool & Wolverine is available on Disney+ now watch it at this link.Sign up for Disney+ here.Get our free mobile appDeadpool & Wolverine: All the Parts That Make No SenseDeadpool & Wolverine is a fun movie with a story that is really hard to wrap your mind around. Here are a bunch of reasons why.

Kevin Feige has hinted Deadpool and Wolverine may return to the Marvel Cinematic Universe.The superhero pair who are portrayed by Ryan Reynolds and Hugh Jackman respectively finally got their own movie set in the MCU with the eponymous Deadpool& Wolverine, and now the studios boss, 51, has said Marvel is always wondering where we can fit them in in terms of future projects.Speaking to Omelete, Feige said: The plans with Deadpool and Wolverine will always be the same: Were always wondering where we can fit them in, and how fast.Elsewhere in the interview, the studio boss said the studio was still committed to the reboot of Blade which will star Mahershala Ali as the titular vampire hunter after the film was removed from Disneys release schedule.MarvelMarvelloading...READ MORE: Every Marvel Cinematic Universe Movie, Ranked From Worst to BestFeige said: Were committed to Blade. We love the character, we love Mahershalas version of him. And rest assured, whenever we change direction with a project, or are still trying to figure out how it fits into our schedule, we let the public know.Youre updated on what's going on. But I can say that the character will make it to the MCU.The blockbuster, which has faced many setbacks since its 2019 announcement with directors and writers boarding and departing the project - was due to hit theaters on November 7, 2025, though it has now been replaced by Predator: Badlands and is yet to receive a new release date.Feige previously admitted Marvel was trying to crack the reboot, though insisted the studio didnt rush development on the film.He told BlackTree TV: For the last two years as weve been trying to crack that movie, the most important thing for us is not rushing it and making sure we are making the right Blade movie.Get our free mobile appThe Worst Parts of 15 Great MoviesThese movies are terrific. Theyre not perfect, though. Filed Under: Deadpool, Deadpool and Wolverine, Kevin Feige, Marvel, WolverineCategories: Movie News

Time zones: CST (UTC +8)Contra is looking for a customer support specialist, located in the Philippines, to join our team. You'll be responsible for providing world class support for our growing freelancer and company customer base. This role involves performing support tasks. The expected time commitment is weekends 8 am - 5pm ESTWhat youll be responsible for:Provide support to users and address any issues or questions they may have.Efficiently manage and execute daily operations tasks.Ensure all tasks are completed in a timely manner, maintaining high-quality standards.Tools you'll be using:HubspotNotionLookerRetoolIntercomInterview ProcessLoom VideoInterview with the Recruiting TeamPaid Case Study and Presentation Related Jobs See more Customer Support jobs

Time zones: CST (UTC +8)Contra is looking for a customer support specialist, located in the Philippines, to join our team. You'll be responsible for providing world class support for our growing freelancer and company customer base. This role involves performing support tasks. The expected time commitment is week days Mondays-Fridays.What youll be responsible for:Provide support to users and address any issues or questions they may have.Efficiently manage and execute daily operations tasks.Ensure all tasks are completed in a timely manner, maintaining high-quality standards.Tools you'll be using:HubspotNotionLookerRetoolIntercomInterview ProcessLoom VideoInterview with Recruiting TeamPaid Case Study and Presentation Related Jobs See more Customer Support jobs

Il cre un trafic de pseudos de luxe

The one thing that sets a good developer apart from an average one.