The Human Cost of Cyberattacks

The International Committee of the Red Cross has just published a report: “The Potential Human Cost of Cyber-Operations.” It’s the result of an “ICRC Expert Meeting” from last year, but was published this week.

Here’s a shorter blog post if you don’t want to read the whole thing. And https://blog.lukaszolejnik.com/icrc-report-on-cyberoperations/”>commentary by one of the authors.

Source: Schneier
The Human Cost of Cyberattacks

CyberGhost VPN – The Best VPN to Protect Your Privacy Online with No Log Policy

CyberGhost VPN

A VPN, short for Virtual Private Network, protects you from threats on public networks, and it can also shield you wherever you are from the probing of governments, companies, or your internet service provider itself. It encrypts your data before it even leaves your computer, making your presence online anonymous and untraceable. You could compare […]

The post CyberGhost VPN – The Best VPN to Protect Your Privacy Online with No Log Policy appeared first on GBHackers On Security.

Source: GBHackers
CyberGhost VPN – The Best VPN to Protect Your Privacy Online with No Log Policy

Critical vulnerability found in WordPress plugin Convert Plus

For the second time this week a WordPress plugin has been found vulnerable, this time allowing an attacker to gain administrative privileges in plugin Convert Plus.

Convert Plus, which has 100,000 active installs, is a commercial lead generation tool containing a critical-rated “unauthenticated administrator creation” flaw, according to Wordfence. If exploited, the flaw allows an attacker to create and register new accounts with various privilege levels up to administrator.

Those using Convert Plus version 3.4.2 need to immediately
update to version 3.4.3, Wordfence said.

“We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days,” Wordfence said in a blog post.

The issue was found on May 24 and a patch was released on
May 28, the same day a firewall rule was released for Wordfence Premium users.
On June 27 the firewall rule will roll out for all users.

Earlier this week researchers at Defiant found a vulnerability
in the plugin Slick
Popup
.

The problem appears in the new subscriber portion of the plugin. The form for handling new subscribers allows administrators to define a user role for the email address being added. By default, the user value is set to none, but the site’s owner can have a list of roles in place, such as new subscriber, to choose from. Even though the admin role is not included as a possibility in the list, there is a way to add it.

“In vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” Wordfence said.

Because no filtering is applied when the subscription is created, an attacker can submit a subscription form and change value of cp_set_user to administrator, and the plugin will create that type of account associated with the new email. Although a randomized password is also generated, the newly found admin can obtain a new one by using the password reset function.

The post Critical vulnerability found in WordPress plugin Convert Plus appeared first on SC Media.

Source: SC
Critical vulnerability found in WordPress plugin Convert Plus