In an effort to further secure open source software, GitHub has announced that the GitHub Advisory Database is now open to community contributions.
While the company has its own teams of security researchers that carefully review all changes and help keep security advisories up to date, community members often have additional insights and intelligence on CVEs but lack a place to share this knowledge.
This is why GitHub is publishing the full contents of its Advisory Database to a new public repository to make it easier for the community to leverage this data. At the same time, the company has built a new user interface for security researchers, academics and enthusiasts to make contributions.
All of the data in the GitHub Advisory Database is licensed under a Creative Commons license and has been since the database was first created to ensure that it remains free and usable by the community.
Contributing to a security advisory
In order to provide a community contribution to a security advisory, GitHub users first need to navigate to the advisory they wish to contribute to and submit their research through the “suggest improvements for this vulnerability” workflow. Here they can suggest changes or provide more context on packages, affected versions, impacted ecosystems and more.
The form will then walk users through opening a pull request that details their suggested changes. Once this done, security researchers from the GitHub Security Lab as well as the maintainer of the project who filed the CVE will be able to review the request. Contributors will also get public credit on their GitHub profile once their contribution has been merged.
In an attempt to further interoperability, advisories in the GitHub Advisory Database repository use the Open Source Vulnerabilities (OSV) format. Software engineer for Google's Open Source Security Team, Oliver Chang provided further details on the OSV format in a blog post, saying:
“In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all. OSV provides that capability.”
We'll likely more on this change to the GitHub Advisory Database once security researchers, academics and enthusiasts begin making their own contributions to the company's database.
Thousands of new domains are registered everyday so that businesses and individuals can build websites but new research from Palo Alto Networks has revealed that cybercriminals often register malicious domains years before they intend to actually use them.
The cybersecurity firm's Unit 42 first began its research into dormant malicious domains after it was revealed that the threat actors behind 2019's SolarWinds hack used them in their attack. To identify strategically aged domains and monitor their activity, Palo Alto Networks launched a cloud-based detector in September of 2021.
According to the findings of the firm's researchers, 22.3 percent of strategically aged domains pose some form of danger with a small portion being straight-out malicious (3.8%), a majority being suspicious (19%) and some being unsafe for work environments (2%).
The reason cybercriminals and other threat actors let a domain is age is to create a “clean record” so that their domain will be less likely to be blocked. Newly registered domains (NRDs) on the other hand are more likely to be malicious and for this reason, security systems often flag them as suspicious. However, according to Palo Alto Networks, strategically aged domains are three times more likely to be malicious than NRDs.
Detecting malicious domains lying dormant
When a sudden spike in traffic is detected, it's often the case that a strategically aged domain is actually malicious. This is because normal websites typically see their traffic grow gradually from when they're created as more people visit a site after learning about it through word of mouth or advertising.
At the same time, domains that aren't intended for legitimate purposes often have incomplete, cloned or questionable content and usually lack WHOIS registrant details as well. Another sign that a domain was registered and intended to be used at a later time in malicious campaigns is DGA subdomain generation.
For those unfamiliar, DGA or domain generation algorithm is a method used to generate domain names and IP addresses that will serve as command and control (C2) communication points used to evade detection and block lists. Just by examining sites using DGA, Palo Alto Networks' cloud-based detector was able to identify two suspicious domains each day.
During its investigation, the cybersecurity firm discovered a Pegasus spying campaign that used two C2 domains registered in 2019 that finally became active two years later in July of 2021. Palo Alto Networks' researchers also found phishing campaigns that used DGA subdomains as well as wildcard DNS abuse.
Keeping your digital world safe and secure is vital, everyone knows that. But it also takes time, and when life is hectic, jobs to do, places to go, people to see, it's easy to put off even the most important security tasks off until 'later' – whenever that might be.
It's OK. It's the same for most us. But it's never too late to get started, and there's a real payback for your efforts. While you may already have your antivirus and VPN installed, a few more minutes spent on even just one or two of these tasks can save you money, speed up your devices, protect you from cyber-scammers… and that's just the start.
(Image credit: Shutterstock)
1. Change your passwords
It's a hassle to set up, remember and manage your passwords, so precisely no-one at all wants to change them regularly. Even if it is good security practice.
Occasional updates are better than none at all, though, so why not change a few passwords right now? If nothing else, just choose the accounts that would cause you the most damage if they were hacked – your bank, PayPal, Amazon, email – and give them a brand new login.
And remember… if you’re tempted to use something like ‘password123’, then that’s definitely not improving your security situation. Use the Memorable Password Generator to create secure but also readable passwords.
And if you're feeling overwhelmed by the sheer amount of passwords you have to remember, then our guide to the best password managers is well worth a read.
2. Uninstall surplus apps
It's easily done. You see an app, it looks great, you install it to try later, but never get around to it. Not a problem if you've only one, but there more you add, the more your device gets weighed down by all this surplus junk. And that equally goes for apps that you used to use on a regular basis and no longer have the need for.
Take the time to browse all your apps and think about when you last used them or whether you really need them any more. If you can't think of a good reason to keep something, just uninstall it..
If you're unsure, then as long as it's not performing some useful background function (backup, security), uninstall it anyway. If you realize you need the app later, you can always reinstall it.
(Image credit: Microsoft)
3. Review your finances
It's easy to sign up for apps and web services, but there's a down side: it's even easier to forget you've done that, and carry on paying for something you no longer use.
Visit your app store of choice, scroll down the Subscriptions list and make sure you recognize and need everything you see. If there's something you no longer use, cancel it; if there are payments you don't understand, investigate them.
Do the same at PayPal, if you've got an account, and with your bank, credit cards and anywhere else you might make payments. It's your money – make sure you're not handing it out without getting something useful in return.
4. Check renewal dates
Cheap VPNs, antivirus companies, web hosts and others often try to tempt you into buying with ultra-cheap signup deals. Which is great at the time, but the costs might double (or more) on renewal.
Do you have any long-term subscriptions to apps or web services where that might apply, and the renewal date is coming up? If so, and even if you think you know approximately when the renewal might be, remember many companies take renewal payments a few days before your term is up. You might remember that you bought a service in February, but if it was February 3, you might have to cancel at the end of January.
If you're unsure about any of these long-term subscriptions, sign into your web account and check. If you know you want to renew, turn off any Auto-Renew setting, or check how to cancel (some services require that you contact them).
If you're unsure, check the latest VPN deals (or whatever) to see if switching to another provider's introductory deal might be a better plan.
(Image credit: Avast)
5. Clean up your system
Every time you install, use or remove apps, your device is busily creating new files and folders. Some might get removed later, but others won't, and that means your device just gets more and more cluttered over time.
This isn't the disaster that speedup tools claim, and you won't magically turbo-charge your hardware just by emptying your Recycle Bin. But all these leftovers can slow you down, so it's worth taking a little time to clean up your device.
Look at your Downloads and Documents folders, for instance. Sort them by date, and look at the oldest. Delete anything you're sure you don't need. Of the rest, is there anything you won't use regularly? Think whether it might be better off backed up to the cloud, or local storage.
On Windows, use Disk Cleanup to clear away temporary files (launch Explorer, click a drive, select Drive Tools > Optimize.) Other devices have their own maintenance tools, and there are plenty of free apps (try CCleaner) that go a little further.
6. Browse app settings
No matter how carefully you set up your device and app security, there's scope for problems later. Maybe you turn off a firewall or some other key setting, then forget to enable it later. Perhaps another device user turns off that feature by mistake. App updates might sometimes change settings (or introduce new ones) without telling you, and you haven't noticed.
Take the time to browse your device, antivirus and VPN settings and make sure they're set up to suit your needs. If you remember setting the VPN kill switch on, for instance, is that still the case? Is your antivirus configured properly? If you have cloud backup, is it protecting everything you expect?
Go and browse all the backed-up files, make sure it has the most up-to-date versions, and isn't missing anything important.
(Image credit: PayPal)
7. Visit your account dashboards
Open a new account with a VPN, security company, web store or anywhere else, and you're usually directed to a web dashboard with various admin-type details. But if you just want to download the app, manage the product or shop in the store, then probably you'll do exactly that instead, and never revisit the dashboard again.
Trouble is, that could mean you're missing out. What if there's some brand-new feature you could really use? Or a feature you're currently using, which is about to get pulled? Has there been a price change? Maybe your details have changed since you signed up, and the website has an email address you no longer use?
Log into a few of your web accounts, and just look at the dashboards. Often they'll have notifications for changes you really need to know.
If you don't see anything, look at any 'Personal Details' page: is everything correct? What about your subscriptions, are they all as you expected? Look at the Settings page: does the site have any useful functionality you're not using, such as two-factor authentication to make it more secure? Who knows what money-saving or privacy-boosting features might be waiting for you, just a click or two away.
A new version of WordPress that's currently under development, WordPress 5.9, is now available in beta for testing purposes.
Given WordPress 5.9 Beta 1 is not a stable release, the developers recommend tests should be carried out on test websites rather than live sites, in case any issues reveal themselves.
WordPress has released a set of detailed instructions for users to follow in order to carry out the test successfully.
The final version of WordPress 5.9 is scheduled for release on January 25, 2022.
WordPress 5.9 Beta 1 testing
With eight weeks left until the software goes live, WordPress has developed three different ways for users to test WordPress 5.9 Beta 1 on their sites.
The first option is to install and activate the WordPress Beta Tester plugin, select the “Bleeding edge” channel and “Beta/RC Only” stream.
The second way is to directly download the beta version, and the third way is to use WP-CLI to test: wp core update –version=5.9-beta1. However, the third option is not advised for filesystems that are case-insensitive.
WordPress said in a blog post that the main reason for these tests is to polish the release in the beta stage. The release already contains 580 enhancements and nearly 450 bug fixes, and contributors have addressed 297 tickets for WordPress 5.9 so far, including 110 new features and enhancements.
This latest WordPress version will also introduce WordPress’ very first block-based default theme, Twenty Twenty-Two.
“It’s the very first theme that’s block based and needs thorough testing as a result,” said a WordPress contributor in the detailed guide.
WordPress also dished out extra tips for those who want to participate in testing the new version on their sites, which include testing across different browsers, testing in different languages, and seeing what the new features look like on different screen sizes.
Tony Lauro, director of security technology and strategy at Akamai, discusses how to disrupt account takeovers in the exploitation phase of an attack. Threatpost
Cyberespionage campaigns linked to China attacked telecoms via ProxyLogon bugs, stealing call records and maintaining persistence, as far back as 2017. Threatpost
Insights from keeping an ‘extra’ eye focused on the holiday season, assessing this past year in total, doing an inventory of risk, budgeting and insuring for risk, user engagement to business enableme…
The Huawei P40 family will be unveiled on March 26. While specific details around the smartphone are yet to be confirmed, a leakster has already been able to obtain the series’ pricing.
Every March, Huawei announces new members to its P series, which has often set new benchmarks for smartphone photography. However, this time, the odds are against it as it looks to thrive without Google as well as make its way through the ongoing coronavirus pandemic.
That doesn’t seem to slow down Huawei as it continues to push towards the launch of the P40 series. Teme, a reliable leakster when it comes to Huawei smartphones, has shared what could be the final retail prices of the Huawei P40 series in Europe.
The standard Huawei P40 model is said to be priced between €799 and €899(~Rs 70,000), with the P40 Pro being priced in the €999-1,099 range(~Rs 87,000). There will also be an even more premium edition (Porsche design?), which is suggested to be priced between €1,199 and €1,299(~Rs 1,04,000). He further adds that prices can vary by a bit in different markets. Considering how wide the ranges are as well as the series’ past, these could very well be the final prices when the phones get announced in two weeks.
Leaks have also given us a fair idea about what to expect from the Huawei P40 series. All of them will be powered by the Kirin 990 chipset and will have 5G capabilities onboard. As for the cameras, we expect a new bigger 52MP Sony IMX700 CMOS image sensor, which will boast an unparalleled pixel size as well as an RYYB matrix for better low light photography.
Our teammates got a chance to go hands-on with the device and suggested that the display will have pretty sharp curves, not only on the sides but also on the top and bottom. The camera island will be bigger than ever too.
1 844.742.7448 
Email Us
Remote Support 
Contact
