XSS Bug in SEOPress WordPress Plugin Allows Site Takeover
“The permissions_callback for the endpoint only verified if the user had a valid
REST-API nonce in the request,” according to the posting. “A valid REST-API
nonce can be generated by any authenticated user using the rest-nonce WordPress
core AJAX action.” Depending on what an attacker updates the title and
description to, it would allow a number of malicious actions, up to and
including full site takeover, researchers said. “The payload could include
malicious web scripts, like JavaScript, due to a lack of sanitization or
escaping on the stored parameters,” they wrote. “These web scripts would then
execute any time a user accessed the ‘All Posts’ page. As always, cross-site
scripting vulnerabilities such as this one can lead to a variety of malicious
actions like new administrative account creation, webshell injection, arbitrary
redirects and more. This vulnerability could easily be used by an attacker to
take over a WordPress site.” To protect their websites, users should upgrade to
version 5.0.4 of SEOPress. Vulnerabilities in WordPress plugins remain
fairly common.
How building a world class SOC can alleviate security team burnout
In the short term, this alert overload means an increased potential for
high-risk threats being missed as analysts attempt to slog through as many
alerts as possible alongside their other duties. Aside from the immediate
security issues, this kind of environment poses some serious long-term problems.
The frustrations of burnt-out teams can build to the point where analysts will
decide to quit their job in search of less stressful positions. We have found
that around half of security personnel are considering changing roles at any
given time. Not only will they be taking their experience and skills with them,
but the ongoing cyber shortage means finding a replacement may be a long and
costly process. A team that spends most of its time trudging through alerts and
running to put out security fires will also have very little time left for any
higher-level strategic activity. This might include undertaking in-depth risk
analysis and establishing improved security strategies and processes. Without
this activity, the organization will struggle to keep up with evolving cyber
threats.
Security through obscurity no longer works
You might expect that companies would be better off keeping their cards close to
their chest. The less hackers know about how a company guards its data, the
safer the data becomes, according to this line of thinking. In fact, the
opposite is true. Secrecy in cyber security puts everyone at risk: the company,
its customers, and its suppliers. Electric vehicles serve as a good example of
the value of openness in cyber security. Many models require extremely
sophisticated software that has to be updated frequently. For example, Tesla
distributes updates to owners at least once per month. To deliver updates, an
electric car maker requires worldwide access privileges to the on-board
computers on its cars. Naturally, car owners want certainty that this does not
expose them to hacking, remote carjackings and shut downs, or being spied on as
they drive. For this reason, makers of electric vehicles need to be extremely
open about their cyber security so that owners, or trusted experts, can assess
if the company’s systems offer effective protection. Although they do not
themselves manage data, telecom equipment makers take their responsibility in
supplying network operators just as seriously as makers of electric cars.
Container Best Practices: What They Are and Why You Should Care
One of the common pitfalls organizations make is to succumb in practice to the
misperception that minification of containers IS container best practices.
Without a doubt, an outsized amount of time and energy is spent thinking about
reducing the size of a container image (minification), and with good reason.
Smaller images are safer; faster to push, pull, and scan; and just generally
less cumbersome in the development lifecycle. That’s why “shrinking a container”
has become a common subject for blog posts, video tutorials and Twitter posts.
It’s also why the DockerSlim open source project, created and maintained by Kyle
Quest, is so popular. It is best known for its ability to automatically create a
functionally equivalent but smaller container. Another common tactic for
container minification could be described as “The Tale of Two Containers.” In
this approach, developers first create a “dev container” comprising all the
tools they love to use for development. Then, once development is complete,
developers convert their “dev containers” to “prod containers,” typically by
replacing the “heavy” underlying base image with something lighter and more
secure.
What is Today´s Relevance of an Enterprise Architecture Practice?
It seems that, especially in modern tech companies, the importance of the
Enterprise Architecture (EA) practice is decreasing. Some organizations might
even consider it an irrelevant practice. In the following, we analyze where
such opinions emerge from. In the later parts of this series, we will provide
arguments against that reasoning and provide an analysis, which underpins that
this is not the end of Enterprise Architecture as a practice. However,
Enterprise Architecture will go through a transformation towards an adapted
set of activities, new priorities, and new required skills. ... Apart from the
arguments above, there is an additional observation, which is common across
many different organizations: The more old-world / legacy IT an organization
has, the more important the Enterprise Architects in the organization are.
Similarly, in organizations with old and new world IT, Enterprise Architects
are responsible for managing the architecture of the old world. However, they
have only little influence on the development of the new world IT; the digital
area.
How computer vision works — and why it’s plagued by bias
Like machine learning overall, computer vision dates back to the 1950s.
Without our current computing power and data access, the technique was
originally very manual and prone to error. But it did still resemble computer
vision as we know it today; the effectiveness of first processing according to
basic properties like lines or edges, for example, was discovered in 1959.
That same year also saw the invention of a technology that made it possible to
transform images into grids of numbers , which incorporated the binary
language machines could understand into images. Throughout the next few
decades, more technical breakthroughs helped pave the way for computer vision.
First, there was the development of computer scanning technology, which for
the first time enabled computers to digitize images. Then came the ability to
turn two-dimensional images into three-dimensional forms. Object recognition
technology that could recognize text arrived in 1974, and by 1982, computer
vision really started to take shape. In that same year, one researcher further
developed the processing hierarchy, just as another developed an early neural
network.
John Oliver on ransomware attacks: ‘It’s in everyone’s interest to get this under control’
Most ominously, ransomware attacks now threaten numerous internet-connected,
“smart” in-home devices, such as thermostats, TVs, ovens or even
internet-enabled sex toys, such as a butt plug. Which prompted Oliver to
remind his audience “arseholes are like opinions – letting the internet be in
charge of yours is a really bad idea”. Oliver was legally obligated to say
that the butt plug comes with a physical key for emergencies, “which I’m not
sure is completely reassuring – keys do get lost, don’t they? Just picture the
last time you searched for keys around your house and now raise the stakes
significantly.” The point, he continued, was that the costs of ransomware keep
raising, as the barrier to entry keeps lowering. The explosion in attacks
derives from three main factors. First, ransomware as a service, as in hacking
programs sold a la carte, precluding technical know-how. “Ideally, no one
would launch ransomware attacks,” said Oliver, “but my next preference would
be that launching one should require significantly more work than simply
clicking ‘add ransomware to cart.’”
IoT could drive adoption of near-premises computing
Strategically, it's not a major leap to consider near-premises data centers
that are hybrid, on premises or cloud-based. However, there are always issues
such as figuring out how to redeploy when you have budget constraints and also
existing resources that must stay working, CIOs and infrastructure architects
must also find time to reconstruct IT infrastructure for near-premises
computing. Crawford said that enterprises adopting near-premises computing can
reduce their compute and storage infrastructure TCO by 30% to 50% and
eliminate most or all of the capital costs they would typically need to spend
on the data center itself; and that these gains can be further compounded by
turning capital expenses into operating expenses through new scalable service
models. If CIOs can demonstrate these gains in the cost models that they
prepare for IT budgets, near-premises computing may indeed become a new
implementation strategy at the edge. Don't overlook the resilience that
near-premises computing brings. "The performance of near-premises computing
rivals that of on-premises computing but also has the capability to add
significantly more resilience," Crawford said.
Enterprise Architecture for Digital Business: Integrated Transformation Strategies
In order to move forward with the DT journeys in this new horizon of
post-pandemic era, practitioners must consider a broader perspective of EA.
They must review the impacts as well as synergies of innovation, disruption,
and collaboration with their transformation initiatives. An innovation is not
just a new way of developing and deploying business solutions – it is also to
deliver tangible business outcomes to customers proactively and consistently.
Disruption often leverages innovation to accentuate the changes in a business
using emerging technology trends. Collaboration harnesses the power of
innovation and disruption to enable practitioners work together and achieve
quantifiable business results. It is evident that in this near-post-pandemic
era, a new horizon of the business world is evolving. The practitioners must
endure rapid changes through the use of digital transformation while
leveraging a nimble, flexible, and agile enterprise architecture framework
that embraces the essence of innovation, disruption, and collaboration
efficiently.
What it means to be a Human leader
Listening should be an everyday task. Leaders discover what is on their
staff’s mind only by listening, whether that is a set-piece exercise or on an
ongoing basis. Charlie Jacobs, the senior partner at London-based law firm
Linklaters since 2016, tries to do this by putting himself in places where he
can have informal conversations. Back when business travel was commonplace,
whenever he arrived in one of Linklaters’ 30 offices around the world, he
headed to the gym, not the boardroom, to find out what was going on. Jacobs
was no fan of after-hours drinks and preferred a pre-work spinning class that
allowed him to mingle with colleagues from all levels while working up a
sweat. “I get a different cross-section of people coming, we get a shake or a
fruit juice afterwards, and they can see a more down-to-earth side to the
senior partner,” he told me. ... Human leaders are focused on making the best
use of their time and keeping organizations focused on their mission. They act
as executive sponsors to pluck ideas from within their organization and ensure
that promising projects make headway.
Quote for the day:
"Inspired leaders move a business
beyond problems into opportunities." -- Dr. Abraham Zaleznik
No comments:
Post a Comment