CVE-2019-20902 https://ift.tt/3cLHqXj Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1. Digital Trends via National Vulnerability Database https://ift.tt/OD63ZH October 1, 2020 at 12:30AM
0 Comments
CVE-2019-20903 https://ift.tt/30ph0pk The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets. Digital Trends via National Vulnerability Database https://ift.tt/OD63ZH October 1, 2020 at 12:30AM
https://ift.tt/2BXH9Qo
UK NCSC: Don't disable updates so you can continue using Adobe Flash past its EOL https://ift.tt/2GjhiXL The UK's cyber-security agency warned on Wednesday of the dangers and complications that may arise from not removing Adobe Flash Player and continuing to use the software past its end-of-life (EoL) date of December 31, 2020. Problematic scenarios include enterprise and other networks where legacy web apps and desktop software still use Flash to display multimedia content or support features like file uploads, file explorers, loading screens, and more. The UK National Cyber Security Centre (NCSC) fears that some system administrators —with disregard for the security of their network— might make the wrong decision and disable update mechanisms in these applications or web browsers so employees can continue using these apps. "Just to be clear: You should not disable browser and/or platform updates as a way of continuing to use Adobe Flash Player after 2020," the agency said on Wednesday. [Emphasis by the NCSC] "Instead, we encourage you to work alongside your suppliers to remove Flash dependencies. Any vendors that are unwilling, or unable, to do this should, themselves, be considered risky." Some software providers like SAS, Citrix, Articulate, and others have already released updates and customer guidelines in preparation for the Flash EOL. Others may have not, and system administrators may need to intervene and remove the software from their networks and find a Flash-free alternative. But if there's one thing that IT administrators can't say is that they've been taken by surprise. Adobe gave companies a three-year start to prepare for the Flash EOL, having first announced it in 2017. Browser makers like Apple, Google, Microsoft, and Mozilla have all announced they also planned to remove Flash from their products by the end of 2020 or late January 2021, making playing any Flash content inside their products impossible. In a recent update to the Flash EOL page, Adobe itself has asked companies to be proactive about the EOL and remove the software even before the end of the year, even planning to manually prompt users to uninstall Fash later this year. This is the second time that the NCSC has stepped forward to issue a warning to UK IT admins about a soon-to-be EOL software application. The agency published a similar alert in August 2019 to urge software developers to migrate their code to Python 3.x as the Python 2.x branch was nearing its scheduled EOL date of January 1, 2020. Digital Trends via ZDNet | Security https://www.zdnet.com/ October 1, 2020 at 12:29AM
https://ift.tt/3cK8Soq
Singapore to treat infosec as equivalent public good to fresh running water https://ift.tt/2GezSR9 The assistant chief executive of Singapore’s Cyber Security Agency, Brigadier General Gaurav Keerthi, says the island nation now considers providing a secure environment to citizens and businesses the equivalent of providing fresh water and sewerage services, and will next week improve digital hygiene with a voluntary scheme that will rate the security consumer broadband gateways. Speaking at the Black Hat Asia conference in Singapore today, Keerthi explained that it’s his job to defend Singapore from cyber-threats. To explain his approach he started with a little history lesson in which he recounted how in the 1800s securing a fresh water supply and disposing of waste water were seen as personal responsibilities. Once it was realised that public health crises were the result of that attitude, widespread rollout of a universal fresh water supply and sewerage quickly became seen as a public good that governments needed to provide. Keerthi said government thinking about information security is mired in that 1800s mentality of hoping citizens will do the right thing, or can be scolded into better behaviour. But with everyday life increasingly dependent on online services, he said Singapore has decided it is time to provide the infosec equivalent of clean tap water to all. One way the nation is doing so is with services that the private sector can – pardon the pun - tap into. To that end the country offers “SingPass”, a national identity scheme that links citizens to services and is also offered to private enterprise such as banks as a free-to-use alternative to developing their own authentication schemes. “We want to make the secure process the easier process,” Keerthi explained, promising the announcement of more such services for developers next week. Also to be revealed next week is a “Consumer labelling service” for connected devices. The scheme will initially see gateways provided by ISPs and smart hubs rated with a four-star assessment of their security. Keerthi likened the ratings to nutrition advice on food packaging and said the aim of the scheme is to have vendors aspire to winning good ratings and make investments that will make their products, and therefore Singapore, more secure. Singapore has form in this field, he said, with energy efficiency ratings for air conditioners. Before the advent of those ratings, Keerthi said, consumers bought on price and manufacturers raced to the bottom. Today he says manufacturers even claim they would achieve a six-star rating if Singapore’s scheme did not max out at five stars. Keerthi said the scheme will not be mandatory, but over time he thinks it will become natural for vendors to participate. The Register asked how Singapore plans to secure participation in the scheme given the sheer quantity of connected devices on offer. Keerthi’s answer was “one at a time”, starting with devices that have the greatest potential for harm. Details of how devices will be rated will be revealed during Singapore International Cyber Week 2020, which starts on October 5th. Keerthi also said that Singapore hopes to share its consumer tech labelling scheme with other nations, as it believes the notion of infosec as a public good will become widespread to safeguard increasing dependence on national services and therefore improve national security. ® Digital Trends via The Register – Security https://ift.tt/2XeTLgv October 1, 2020 at 12:22AM Allbirds CEO Joey Zwillinger on the startups $100 million round profitability and SPAC mania10/1/2020
https://ift.tt/34glrnt
Allbirds CEO Joey Zwillinger on the startup’s $100 million round, profitability, and SPAC mania https://ift.tt/36koNIO As people spend less time out in the world and more time daydreaming about when a vaccine will arrive, lifestyle shoes are only gaining traction. One obvious beneficiary is Allbirds, the San Francisco-based maker of comfortable, sustainable kicks that launched in 2016 and quickly became a favorite in Silicon Valley circles before taking off elsewhere. Though the company saw its business slow this year because of the pandemic, its products are now available to purchase in 35 countries and its 20 brick-and-mortar stores are sprinkled throughout the U.S. and Europe, with another outpost in Tokyo and several shops in China. Investors clearly see room for more growth. Allbirds just closed on $100 million in Series E funding at roughly the same $1.6 billion valuation it was assigned after closing on $27 million in Series D funding earlier this year, and blank-check companies have been calling, says cofounder and CEO Joey Zwillinger. He talked with us earlier this week in a chat that has been edited for length and clarity. TC: Your shoes are sold worldwide. What are your biggest markets? JZ: The biggest market by far is the U.S., and the same day that we started here in 2016, we also launched in New Zealand, so that’s been very good to us over the last four years, too. But we’ve seen growth in Japan and Korea and China and Canada and Australia. We have a network of warehouses globally that lets us reach 2.5 billion people [who], if they were so inclined, could get their product in three days. We’re proud of the infrastructure we’ve set up. TC: We’ve all worn shoes a lot less than we might have expected in 2020. How has that impacted your business? JZ: We’re growing but definitely not at the same pace we would be had the pandemic not occurred. We’re predominantly digital in terms of how we reach people, but stores are important for us. And we had to switch [those] off completely and lost a portion of our sales for a long time. TC: Did you have to lay off your retail employees? JZ: A large portion of our retail force was unable to work, but we were luckily able to keep them fully paid for four months, plus [some received] government benefits if they got that. And now all of our 20 stores are up and running again in a way that’s totally safe and everyone feels really comfortable. We also donated shoes to frontline workers — 10,000 pairs or around a million dollars’ worth. TC: What does Allbirds have up its sleeve, in terms of new offerings? JZ: We just launched our native mobile app, and through it we’re able to give our more loyal fans exclusives. It’s a really cool experience that blends technology with fashion. You can try on shoes in a virtual mirror; you’re given information [about different looks] that you wouldn’t have otherwise. We also launched wool-based weather-proofed running shoes in April that have blown away our expectations but [were fast discovered by] people who haven’t really been running for 10 to 15 years and are running again [because of gym closures]. It’s a super high-stakes category and one that’s hard to break into because people buy on repeat. But we spent two years making it. It’s not like we launched it because of the pandemic. It’s a shoe for 5K to 10K distances — it’s not a marathon shoe or a trail shoe — and that we’ve been able to clearly articulate that speaks to its success, I think. TC: What about clothing? We launched underwear and socks last year in a small launch. We developed a textile that hasn’t been used before — it’s a blend of tree fiber and merino wool because our view is that nature can unlock magic. Underwear is typically synthetic — it’s made from plastics — or cotton, which isn’t a great material for a whole bunch of reasons. [Meanwhile] ours is phenomenal for temperature control; it also feels like cashmere. TC: Patagonia really advertises its social and environmental values. Do you see Allbirds evolving in a similar way, with a growing spate of offerings? JZ: I’m incredibly humbled by [the comparison]. Given their environmental stewardship of the retail sector, we hope we’re compared to them. But they are much more of an outdoor brand — not a competitor so to speak. And we’d love to share more of the retail world with them so we can do our environmental thing together. TC: You just raised funding. Are you profitable and, if not, is profitability in sight? JZ: We’ve been profitable for most of our existence. Having some discipline as we grow is good. We’re not close to the profitability that we’ll eventually have, but we’re still a small company in investment mode. After we emerge from the pandemic, we’ll enter a ramping-up phase. TC: Everyone and their brother is raising money for a blank-check company, or SPAC, which can make it a lot faster for a private company to go public. Have you been approached, and might this option interest you? JZ: Yes and no. Yes we’ve been approached, and no, we’re [not interested]. We want to build a great company and being public might be something that helps enable that for a whole bunch of reasons. But we want to do it at the right time, in a way that helps the business grow in the most durable and sustainable fashion. Just jumping at the opportunity of a SPAC without doing the rigorous prep the way we want to, we’re not super focused on that Digital Trends via TechCrunch https://techcrunch.com October 1, 2020 at 12:10AM |
Categories
All
Archives
October 2020
|