Nov 27, 2024The Hacker NewsMalware / Threat IntelligenceMulti-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let's examine real-world examples of some of the most common multi-stage attack scenarios that are active right now.URLs and Other Embedded Content in DocumentsAttackers frequently hide malicious links within seemingly legitimate documents, such as PDFs or Word files. Upon opening the document and clicking the embedded link, users are directed to a malicious website. These sites often employ deceptive tactics to get the victim to download malware onto their computer or share their passwords.Another popular type of embedded content is QR codes. Attackers conceal malicious URLs within QR codes and insert them into documents. This strategy forces users to turn to their mobile devices to scan the code, which then directs them to phishing sites. These sites typically request login credentials, which are immediately stolen by the attackers upon entry.Example: PDF File with a QR CodeTo demonstrate how a typical attack unfolds, let's use the ANY.RUN Sandbox, which offers a safe virtual environment for studying malicious files and URLs. Thanks to its interactivity, this cloud-based service allows us to engage with the system just like on a standard computer.Get up to 3 ANY.RUN licenses as a gift with a Black Friday offerTo simplify our analysis, we'll enable the Automated Interactivity feature that can perform all the user actions needed to trigger attack or sample execution automatically.Phishing PDF with malicious QR code opened in the ANY.RUN sandboxConsider this sandbox session, which features a malicious .pdf file that contains a QR code. With automation switched on, the service extracts the URL inside the code and opens it in the browser by itself. The final phishing page where victims are offered to share their credentialsAfter a few redirects, the attack takes us to the final phishing page designed to mimic a Microsoft site. It is controlled by threat actors and configured to steal users' login and password data, as soon as it is entered.Suricata IDS rule identified a phishing domain chain during analysisThe sandbox makes it possible to observe all the network activity occurring during the attack and see triggered Suricata IDS rulesAfter completing the analysis, the ANY.RUN sandbox provides a conclusive "malicious activity" verdict and generates a report on the threat that also includes a list of IOCs.Multi-stage RedirectsMulti-stage redirects involve a sequence of URLs that move users through multiple sites, ultimately leading to a malicious destination. Attackers often utilize trusted domains, such as Google's or popular social media platforms like TikTok, to make the redirects appear legitimate. This method complicates the detection of the final malicious URL by security tools.Some redirect stages may include CAPTCHA challenges to prevent automated solutions and filters from accessing malicious content. Attackers might also incorporate scripts that check for the user's IP address. If a hosting-based address, commonly used by security solutions, is detected, the attack chain gets interrupted and the user is redirected to a legitimate website, preventing access to the phishing page.Example: Chain of Links Leading to a Phishing PageHere is a sandbox session showing the entire chain of attack starting from a seemingly legitimate TikTok link.TikTok URL containing a redirect to a Google domainYet, a closer look reveals how the full URL incorporates a redirect to a legitimate google domain. ANY.RUN automatically solves the CAPTCHA moving on to the next stage of the attackFrom there, the attack moves on to another site with a redirect and then to the final phishing page, which is, however, protected with a CAPTCHA challenge.Fake Outlook page intended for stealing user dataThanks to advanced content analysis, the sandbox automatically solves this CAPTCHA, allowing us to observe the fake page designed to steal victims' credentials.Email AttachmentsEmail attachments continue to be a prevalent vector for multi-stage attacks. In the past, attackers frequently sent emails with Office documents containing malicious macros. Currently, the focus has shifted to archives that include payloads and scripts. Archives provide a straightforward and effective method for threat actors to conceal malicious executables from security mechanisms and increase the trustworthiness of the files.Example: Email Attachment with Formbook MalwareIn this sandbox session, we can see a phishing email that contains a .zip attachment. The service automatically opens the archive, which has several files inside.Phishing email with an archiveWith Smart Content Analysis, the service identifies the main payload and launches it, which initiates the execution chain and allows us to see how the malware behaves on a live system.Suricata IDS rule used for detecting FormBook's connection to its C2The sandbox detects FormBook and logs all of its network and system activities, as well as providing a detailed threat report.Get Your Black Friday Deal from ANY.RUNAnalyze suspicious emails, files, and URLs in the ANY.RUN sandbox to quickly identify cyber attacks. With Automated Interactivity, the service can perform all the necessary analysis steps on its own, saving you time and presenting you only with the most important insights into the threat at hand.Black Friday offer from ANY.RUNANY.RUN is currently offering Black Friday deals. Get yours before December 8:For individual users: 2 licences for the price of 1.For teams: Up to 3 licences + annual basic plan for Threat Intelligence Lookup, ANY.RUN's searchable database of the latest threat data;See all offers and test the service with a free trial today ConclusionMulti-stage attacks are a significant threat to organizations and individuals alike. Some of the most common attack scenarios include URLs and embeds in documents, QR codes, multi-stage redirects, email attachments, and archived payloads. By analyzing these with tools like ANY.RUN's Interactive sandbox, we can better defend our infrastructure.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

John Edwards, Technology Journalist & AuthorNovember 27, 20245 Min ReadOleCNX via Alamy Stock PhotoAn IT project timeline that's overly optimistic can lead to delays, cost overruns, missed opportunities and, in extreme instances, complete project failure. It can also make the project leader look weak or incompetent.While there are multiple ways to build a project timeline, keeping it simple by starting with the overarching scope and then breaking it down into individual smaller components is key, says Sathya Chandrasekar, a managing director with Deloitte Consulting, in an online interview.Sharif Naqib, senior director of project management and resourcing at IT consulting firm SADA, says the project sponsor must clearly understand the venture's value as well as key constraints, including timelines, scope, and budget. In an email interview, he advises project leaders to research ways to embrace enterprise and industry best practices and then build a draft timeline leveraging input from the team's subject matter experts.A quality project timeline will have deliverables and milestones with strict deadlines tied to them, says Mary Rivard, a partner with technology research and advisory firm ISG. "Milestones are critical, because they provide specific points within the project to measure progress and keep the team on track," she notes via email.Related:When planning, be sure to include time for business readiness, employee feedback, and training, Naqib advises. "Many project leaders leave time for quality assurance and solution testing but tend to underestimate the time it takes to prepare employees to work with and adjust to the new solution." Lacking this critical organizational change management component, the timeline may be thwarted by staff resistance and a lack of understanding, he warns.Ensuring AccuracyBuilding resilient project plans that can handle unforeseen, yet often inevitable changes, is key to ensuring timeline accuracy. "Understanding dependencies, identifying bottlenecks, and planning delivery around these constraints have shown to be important for timeline accuracy," Chandrasekar says.Project accuracy also depends on clear communication and tracking. "It's critical to consistently review timelines with your project team and stakeholders, making updates as new information is discovered," Naqib says. He adds that project timelines should be tracked with the support of a work management tool, such as SmartSheet or Jira, in order to measure progress and identify gaps.Yet even with perfect planning, unanticipated delays or changes may occur. Proper planning and communication are key to assuring timeline accuracy, says Anne Gee, director of delivery excellence for IT managed services at data and technology consulting firm Resultant. "During the planning phase, include buffer time, identify potential risks, and develop mitigation plans to handle delays proactively and stay on track," she advises via email.Related:Getting Up to SpeedLeaders often underestimate how long a task will take. "We think we can get something done fast and easily when the reality is that the solution is more complex," Gee observes. "Due to this mistaken thinking, project leaders often have overly optimistic timelines that don't account for resource constraints, potential delays, or unexpected challenges."Rivard believes that the biggest timeline mistakes include neglecting to clearly identify the project's scope and deliverables, not identifying and accounting for project dependencies, and failing to ensure that the necessary resources, with teams possessing the right skillsets, are available to work on the project.Getting Back on ScheduleProject delays are common and must be immediately addressed. The first step is to identify the cause of the delay so it can be effectively resolved, Gee says. The project leader will then need to determine whether additional resources are needed, or if resources must be reallocated to get the project back on schedule. "At the end of the day, extending the deadline may be necessary," she acknowledges.Related:To get a stalled project back on track, determine if the project scope can be revised or reduced, Rivard says. "Regardless of whether you're working toward [meeting] the original project scope or a reduced scope, you'll need to divide the remaining work into smaller tranches of prioritized tasks." She suggests assigning responsibility for the remaining tasks while reaffirming that the project has the appropriate skillsets available to accomplish its goals within the specified timeframe.The best way to get a lagging timeline back on schedule is to work with your project team to identify the root cause, Naqib advises. "Then, you can work with your team and your greater organization to explore possible resolution accelerators that will keep your timeline on track." He adds that resolution plans might include resequencing work, adding or subtracting the project's scope, adding or changing team members, or leveraging automation or existing code libraries to accelerate delivery.Parting ThoughtsStakeholder involvement should be encouraged throughout the project to ensure that their expectations align with the project timeline, Gee says. She also recommends documenting all decisions to prevent future confusion and errors. "Finally, don't forget to conduct a post-mortem after project completion to document any lessons learned -- especially as they relate to the timeline -- and store it where others can access it."About the AuthorJohn EdwardsTechnology Journalist & AuthorJohn Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.See more from John EdwardsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeReportsMore Reports

It is not a small world of Disney films after all. That mouse-related juggernaut keeps right on rolling along year after year after year. When they stumble upon a hit, which they do with great regularity they haveboth of the two biggestbox-office hits of the year right now, for example nobody is better than Disney at finding ways to turn that one-time hit into a perpetual multimedia franchise.Sometimes that means live-action remakes. Often that means video games, TV spinoffs, and truckloads of merchandise.Anda lot of times that means sequels.So many sequels.Disney didnt become the massive Hollywood juggernaut they are by churning out bad movies. They have produced had plenty of sequels people love. (Remember the two biggest box-office hits of the year I mentioned?They are both sequels.) Their track record aint perfect, though. And today, were rounding up ten of their worst sequels ever.Note that the list doesnot contain any ofDisneys direct-to-video sequels. It didnt seem fair tocompare big-screen titles made withlarge budgets,A-list stars, and top talent with moviesthat were made on the cheap by lesser-known actors and creators. So well have to discuss whetherCinderella II: Dreams Come True is worse thanPocahontas II: Journey to a New World (or whetherCinderella III: A Twist in Time is kind of underrated) another time.We also left out any and all bad Marvel andStar Warssequels, which might technically qualify for a list like this, but are really their own separate thing deserving of theirown piece. For now, lets just rankthe worst (big-screen) Disney sequels. Starting with...The Worst Disney SequelsThe House of Mouse loves to churn out sequel after sequel in their hit franchises. Sometimes, it works. Sometimes, it doesnt.READ MORE: The Best Movie Stunts in HistoryGet our free mobile app15 Once-Beloved Movies That Have Faded AwayThese movies were massive blockbusters on their initial release. As the years have gone by, theyve havent become generational classics.

Location: 100% RemoteCompensation: We pay local rates that are at or above the market + Shares 0.001% - 0.05% + Generous Benefits. We share this philosophy with GitLab.About SecfixSecfix automates security compliance for SMBs in Europe. We help SMBs automate ISO 27001, GDPR, TISAX, and SOC 2 fast and easy. Our platform integrates with a companys tech stack (like AWS, Azure AD, Jira, etc.), automatically extracts the data needed for compliance, and creates a checklist to become and remain compliant.About Our TeamWere a fun, close-knit team on a mission to automate security and compliance for modern companies and become the European compliance automation leader. Our trajectory is fueled by top investors, including Octopus Ventures, Neosfer (Commerzbank), founders of Signavio and many more angels.We are a team of 16 (and growing!) with founders passionate about Y Combinator product principles and building a great remote culture. We are solving a real need with a huge $97bn market and the future is very bright.Role responsibilitiesTrouble-shoot and resolve the most complex technical issues as the final escalation point in our Support TeamDevelop a deep understanding of our product capabilities, integrations, configurations messaging, partner ecosystem, and competitive landscape.Communicate directly with users and listen carefully to prospects and customers to provide market feedback to the product team and help prioritize functionality needed to drive sales opportunitiesBuild product examples, documentation, and other critical resources for our customersLead initiatives to establish Support Engineering best practices and implement new toolsCultivate an environment of teamwork, openness, creativity, and continuous improvementAbout youYou have 2-5 years of customer-facing, technical experience as a support engineer, product engineer, solutions engineer, or similar - ideally within a B2B SaaS environment.1-3 years of backend experience. Professional experience with Java Spring Boot, Typescript and PostgreSQL and a desire to expand those skills. Be familiar with REST API development and service integrations.You have hands-on experience with cloud platforms: AWS, Google Cloud, Microsoft Azure, Operating Systems (Windows, MacOS, Linux) and cloud application architecture.Youre familiar with Zendesk or other ticketing software.Youre an expert problem solver - you can solve complex problems within a fast-paced startup environment.You have a calm and patient demeanor, especially when faced with challenging customer interactions.Youre hands-on with an ownership mindset. Youve owned end-to-end processes, from research right through to updating knowledge base documentation.Excellent written and verbal communication in English. Both - with customers in a chat and when creating and maintaining beautiful and clear knowledge base articles.Youre hard working, and excited about getting your hands dirty in a startup environment.You learn fast - youre not afraid to learn and fully implement a new technologyWhat We OfferRemote Work: 100% remote work with a virtual office in Gather.Competitive Salary: Industry-competitive local salaries.We pay local rates that are at or above the market. We share this philosophy with GitLab.Equity: Generous equity package were all owners of Secfix and beneficiaries of our collective success.Holidays: 26 days holiday + local public holidays.Health Insurance: Comprehensive health coverage.Development Budget: 1,000 annual personal development budget.Workspace Budget: Remote workspace budget and access to co-working spaces.Annual Retreat: Annual retreat to build connections and inspire ideas (this year were headed to Milan!).Tech Equipment: Latest tech equipment (MacBook, monitors, headphones).Company Events: Company-wide events to build relationships and have some fun!Mentorship: We are backed by top VCs and accelerators and have direct access to world-class mentors.Interview Process20-30 min intro call with Talent teamTake-home Task and technical presentation2h final "Virtual on-site" where you'll meet the team and co-founders on GatherSometimes we might split one larger interview into small separate calls, to offer you faster availability.Please note: We are an equal-opportunity employer and remote-only company. We work in sync using Gather as our virtual office. As a small fast-growing company, we believe in the need for an in-sync component of daily communication and therefore cannot support 100% asynchronous work. Read more about our Remote Culture here.

The SECRET To Landing a Software Engineering Internship

17. Muscle Solver Vellum - Parameter Overview

19. Muscle Post-Processing

Source: Jack HobhouseSource: Jack HobhouseSource: Jack Hobhouse1/3show captionThreefold Architects has completed a 23,000 sq.ft retrofit of 12 Little Portland Street, a grade II-listed building close to Oxford Circus, for The Crown Estate.The project seeks to revitalise the 1920s neo-classical office building, incorporating flexible office spaces and upgraded energy performance measures while preserving its heritage features.The design is intended to address post-Covid workspace trends, focusing on smaller, more flexible spaces suited to hybrid working. According to Threefold, the scheme aims to diversify The Crown Estates commercial portfolio by attracting a mix of tenants through inclusive layouts and amenities that promote collaboration and well-being.Significant upgrades have been made to the buildings thermal performance, with new mechanical and electrical systems installed, including a high-efficiency recovery condenser and modernised ventilation systems.Heritage features such as period windows and plasterwork have been refurbished or echoed in new design elements. A full faade restoration was undertaken, alongside the replacement and refurbishment of glazing, which contributed to achieving a BREEAM Very Good rating.Existing materials, including raised access floors, were catalogued and reused where possible, aligning with circular economy principles.Source: Jack HobhouseSource: Jack HobhouseSource: Jack HobhouseSource: Jack HobhouseSource: Jack HobhouseSource: Jack HobhouseSource: Jack Hobhouse1/9show captionInternally, the six floors of workspace are designed to accommodate contemporary work practices. Threefold describes the spaces as a mix of task-specific work areas, breakout zones, and collaborative areas, with natural materials and planting used to create a comfortable environment.A key addition is a new roof terrace, which transforms previously unused space into an outdoor area for events and relaxation, offering views of central London.The terrace includes planting to support The Crown Estates Wild West End strategy, aimed at improving air quality and urban biodiversity. Features such as bee blocks and insect habitats have also been integrated.Project dataClient: The Crown EstateArchitect: Threefold ArchitectsProject Manager: Dendy ByrneStructural Engineer: HTSM&E: WPPEnvironmental: WPPHeritage Consultant: Donald Insall AssociatesPlanning Consultant: Gerald EveCompleted: October 2024Gross internal area: 23,000 sq/ftPhotographs: Jack HobhouseSuppliersLino: GerfloorTerrazzo: Inopera Kitchen worktop, Diespeker for StairsFurniture: Rawside, Ondaretta, Vitra, Pearson LloydSanitaryware: CrosswaterRecycled Paint: Paint 360Tiles: GrestecBespoke Joinery: Falkus JoineryTerrace Planters: RaaftWall lights: Holloways of Ludlow/ ArtimedeDecking: RaaftTerrace Handrails: BA SystemsBlinds: WaverleyInsect hotels: Green and blueBird bricks: manthorpe

Job also includes building new community kitchenThe block will be turned into new student homesA scheme by Howells to turn a 1980s office building in south London into student accommodation has been given the green light by Southwark planners.The block at 182-202 Walworth Road will be overhauled into nearly 300 student bedrooms as well as new retail and a publicly accessible courtyard garden.The job, which is being developed by Fabrix, will also 23 homes for social rent at the site.It will also include a 2,626 sq ft community kitchen, which will open up into the courtyard garden.Others working on the deal include QS Turner & Townsend Alinea, project manager Gardiner & Theobald, M&E consultant Arup and structural engineer Elliott Wood.Fabrix is also behind a 180m scheme in London that would have seen a mini forest built on top of the former Blackfriars Crown Court in Southwark.But this has been stalled because of affordability issues. The seven-storey building on Pocock Street had been due to be carried out by Mace, with 385,000 sq ft of office and community space to be built alongside the rooftop forest.

Our Experts Written by Russell Holly Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement Why You Can Trust CNET 16171819202122232425+ Years of Experience 14151617181920212223 Hands-on Product Reviewers 6,0007,0008,0009,00010,00011,00012,00013,00014,00015,000 Sq. Feet of Lab Space CNETs expert staff reviews and rates dozens of new products and services each month, building on more than a quarter century of expertise.Table of Contents Table of Contents Many Black Friday dealsare already live, and some are better than others. If you're trying to complete your holiday shopping list, it can feel overwhelming trying to figure out which discounts are worth your time. However, you're in luck because we have all the top deals on TVs, laptops, gaming accessoriesand just about every pair of headphones in one place. We want you to snag the best bargains before they're gone.Don't waste precious time separating the good deals from the great ones. Our CNET shopping experts work tirelessly from the moment Black Friday deals start to the moment Cyber Monday deals end to ensure this page has all of the best offers for you to peruse. Check back regularly because there are always new Black Friday discounts to discover.See at AmazonBest Black Friday deals Cuisinart air fryer oven: $57 At this point, an air fryer is basically an essential in every kitchen. And what's better than having an air fryer that truly can do everything. From roasting to baking and even special presets for certain foods like fries or wings, you'll be enjoying a delicious meal in no time. And at half off, it's down to a record low price. Details $57 at Amazon Greater Goods Kitchen sous vide machine: $70 Take almost half off this sous vide machine, bringing to it's lowest price ever. It even comes in three different colors so you can pick which matches your kitchen the best. It's super simple to use. It has 1100 watts of power so you can get to your desired temperature super quick, and all you will hear is a gentle ripple. Details $70 at Amazon Magic Bullet 48oz blender: $30 The Magic Bullet is down to an record low price. It has a 48-oz capacity so you can make your large holiday meals. And it's dishwasher safe so you don't have to worry about cleaning the machine yourself. Details $30 at Amazon Apple iPad (10th gen): $250 Apple's latest entry-level iPad is ouroverall favorite tablet of 2024, and now you can grab it at an all-time low price. It has a 10.9-inch display, a USB-C connector and Wi-Fi 6 support. Be sure to clip theon-page couponfor the full discount. Details $250 at Amazon Anker Prime 67W USB-C charger: $36 At 40% off, this 67-watt charger with USB-C and USB-A ports is a steal. It can help boost your phone, laptop and more at home and when you're on the go. Details $36 at Amazon Samsung Galaxy Watch 7: $203 Get the best Android smartwatch experience at its lowest price yet. Even if last year's Galaxy Watch 6 is down to $140, the improved health sensor array, the smoother yet more efficient processor and the new gesture controls on the Galaxy Watch 7 can make all the difference in the world in everyday use, especially for those with extra-small or irregularly shaped wrists. Samsung's Galaxy Health suite remains entirely free -- unlike Fitbit on the Pixel Watch 3 -- and its integration with both Samsung Galaxy phones and non-Samsung Android phones is top tier. Samsung's customizable watch faces, like the new Ultra Info Board or the updated (and GIF-supporting) Photos face, let your watch feel as futuristic, retro or personal as you desire. Details $203 at Amazon Amazon / CNET 2016 The Breville Barista Express is our favorite espresso machine for making a cafe-quality latte at home. It has a built-in coffee grinder and steam wand for all of your caffeinated creations, and right now you can score a rare $200 discount. Show more $550 at Amazon Amazon Fire TV Stick 4K Max: $33 (save $27). Give the gift of 4K streaming with theFire TV Stick. It's the easiest way to add smart features to a nonsmart TV, especially if you're on a budget.Govee TV Backlight 3: $47 (save $23). This kit adds lights to the back of your TV that sync up with whatever you are watching or playing, and kits for multiple TV sizes are all discounted today.Aqara Smart Lock U100 smart door lock: $130 (save $100). This smart lock supports Apple's Home Key technology, Amazon's Alexa and more.Tineco Pure One S11 cordless vacuum cleaner: $180 (save $120). This lightweight Tineco was chosen as our pick for the overallbest cordless vacuumof the year thanks to its strong suction, HEPA filtration and more. Clip theon-page couponfor the full discount.Best Black Friday TV dealsShop all the best Black Friday TV deals before they are gone. Now's the time to replace your old, busted TV and upgrade to something with better resolution and features that will take your bingeing sessions to the next level. Hisense/CNET "Go big or go home" could be this smart TV's motto. It's 85 inches, making it almost too big for most spaces, but just right for those who love watching movies large and loud, or like to catch all the details of any sport you can imagine. Its smarts come from Google TV and it has a subwoofer built-in to make the sound experience better in almost every case.Specs: 85 inches; panel: QLED; screen resolution: 4K Show more $1,298 at Amazon