Archive for February, 2020

Six-Year-Old Brits Suspects in Sexting Offenses

Six-Year-Old Brits Suspects in Sexting Offenses

British police have been investigating children as young as six over their involvement in sexting offenses. 



Figures released by London’s Metropolitan Police Service reveal that between January 2017 and August 2019, a total of 353 children aged from six to thirteen were investigated in relation to sending and receiving sexual images. 



Sexting investigations involving children under age 14 have increased dramatically since figures began to be recorded two and a half years ago. In 2017, 92 under-14s were investigated. In 2018, the figure rose to 151, and in the first six months of last year, 110 under-14s were recorded as sexting suspects.



The true figures could be far higher, said the Met, which is not seeking to prosecute children, but to raise awareness among kids and their parents about the law. 



“We do not want to criminalize young people unnecessarily—we want to educate them so that they can be better informed about the legal position and mindful about the potential pitfalls of an activity many of them might regard as nothing out of the ordinary,” said Detective Superintendent Zena Marshall.



The Met said that many youngsters had no idea that taking, sharing, or possessing sexually explicit pictures of children under age 18 was a crime. Others said that images of them had been distributed without their consent. 



“We know that many young people do not realize that creating or sharing explicit images of an under-18 is against the law, even if the persons doing it are children themselves, and as police we have a duty to record allegations concerning sexting when they are reported to us,” said Marshall.



“Someone could be classed as a victim, witness or suspect, depending on the circumstances.”



Scotland Yard—the Met’s London headquarters—said that the force received sexting reports involving children from a number of sources, including parents, schools, youth clubs, local authorities, and the children themselves. 



report published by the Internet Watch Foundation (IWF) last month found that a third of child sex abuse images online are originally posted by the children themselves in the hopes of winning social approval.



The Met said that the exchange of sexually explicit images amongst teenagers was now a “societal norm,” and that online indecent image offenses as a whole had risen by 130 percent since 2016.


Source: Infosecurity
Six-Year-Old Brits Suspects in Sexting Offenses

CVE-2015-6922

Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.
Source: NIST
CVE-2015-6922

CVE-2015-0258

Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
Source: NIST
CVE-2015-0258

Personal Data of 144K Canadians Breached by Federal Government

Personal Data of 144K Canadians Breached by Federal Government

New figures tabled in Canada’s House of Commons have revealed that at least 144,000 Canadians have had their personal information mishandled by federal departments and agencies over the past two years. 



The figures were part of an 800-page document written in response to an Order Paper question filed last month by Conservative MP Dean Allison. No information as to how the data came to be mishandled was included in the federal government’s lengthy answer.



In total, 7,992 breaches were found to have occurred at 10 different agencies and departments. The errors range in severity from minor infractions to serious data breaches that resulted in the exposure of sensitive personal information. 



The Canada Revenue Agency (CRA) was the worst offender, with 3,020 breaches affecting 60,000 Canadians recorded between January 1, 2018, and December 10, 2019. 



A spokesperson for the CRA, Etienne Biram, said: “Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents.”



One of those three major incidents occurred when some CRA employees were accidentally given access to a hard drive containing personal information belonging to 11,780 individuals in January 2019. 



Biram said that no evidence had been uncovered that indicated the files had actually been accessed by any unauthorized personnel. 



Over the same time period, 122 breaches affecting 24,000 people were reported by Health Canada. In one breach, a government employee received an email containing personal information.



Health Canada spokesperson Tammy Jarbeau said: “The majority of the reported breaches were the result of human error and did not release sensitive personal information.”



The figure of 144,000 tabled in the House was based on estimates, meaning the real number of breaches could be higher. Not all the departments were able to state with accuracy how many people were affected by individual breaches or how many breach victims were contacted after a particular breach had occurred. 



Under current law, federal departments are only obliged to notify individuals in the event of a breach affecting large numbers of people or in the event of “material” breaches, in which sensitive personal information that could reasonably be expected to cause serious injury or harm to an individual is exposed.


Source: Infosecurity
Personal Data of 144K Canadians Breached by Federal Government

CVE-2020-9043

The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.
Source: NIST
CVE-2020-9043

CVE-2020-1704

An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
Source: NIST
CVE-2020-1704

CVE-2019-12954

SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.
Source: NIST
CVE-2019-12954

CVE-2015-1387

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1454. Reason: This candidate is a reservation duplicate of CVE-2015-1454. Notes: All CVE users should reference CVE-2015-1454 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Source: NIST
CVE-2015-1387

CVE-2013-3722

A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in lookup.c.
Source: NIST
CVE-2013-3722

New York Post Reporter Investigated Over Leaks

New York Post Reporter Investigated Over Leaks

New York cops, on the hunt for a source of leaked police photographs, have subpoenaed the Twitter account of a journalist at the New York Post.



The New York Police Department (NYPD) sought access to the Twitter data of New York Post police bureau chief Tina Moore after the reporter displayed an almost uncanny knack for sniffing out photos of the latest scoops.



In a subpoena dated December 9, police demanded that Twitter turn over information connected to the account @tinamoorereport from October 9 to October 14, 2019. 



Around that period, Moore tweeted a series of gory crime scene photos depicting a massacre in a Harlem gambling den that left three dead and four injured. 



Twitter was ordered to give the police access to all email accounts, servers, and internet protocol addresses associated with Moore’s social media account, along with info on any connected devices.



Strangely, the Patriot Act—a post-9/11 anti-terrorism piece of legislature—was cited as a reason for Twitter to comply with the request.



Police told Twitter not to inform anyone about the subpoena for 90 days after its date of issue. Disclosing its existence could, they said, impede the course of any investigation.  



Twitter appears to have ignored this advice, however, as the subpoena ended up in the hands of the New York Post, which published the document in full on its website on Thursday, February 13. 



The NYPD withdrew the subpoena on Wednesday after lawyers from the Post contacted the department.



“We are conducting an investigation to identify the person who leaked crime scene photos,” said the NYPD in a statement. 



“Tina Moore was never the focus of our investigation.”



The wording of the subpoena implied that the police were more interested in obtaining information about the devices that Moore used to connect to Twitter than in discovering information regarding the account itself. 



News that Moore’s records had been the subject of a subpoena came just days after the NYPD placed two officers on modified duty for allegedly leaking video of a dramatic shooting incident that took place inside a Bronx station house.



Source: Infosecurity
New York Post Reporter Investigated Over Leaks