Privilege Escalation Vulnerability in Ultimate Member Plugin Allows Ultimate Website Access

?? Edwin Kwan, Sydney, Australia ↗
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin – SecurityWeek
Hacking Campaign Actively Exploiting Ultimate Member Plugin – WPScan WordPress Security
Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates

Warning: Army Soldiers and Nefarious Smartwatches… the rise of the Decepticons?

?? Tracy (Trac) Bannon, Salem, Massachusetts ↗
https://www.securityweek.com/us-military-personnel-receiving-unsolicited-suspicious-smartwatches
US Army personnel receive suspicious smartwatches | Cybernews
How Safe Is Your Wearable Device?
CID Lookout: Unsolicited Smartwatches Received by Mail

Biometric Airport Security – Facial Recognition 

?? Hillary Coover, Washington, DC ↗
TSA is testing facial recognition at more airports, raising privacy concerns | AP News

China curbs metal exports to slow US chip making

?? Katy Craig, San Diego, California ↗
China curbs exports of key computer chip materials – BBC News
Dutch to restrict chip equipment exports amid US pressure – BBC News

This Day in Tech History

?? Marcel Brown, St. Louis, Missouri ↗
http://thisdayintechhistory.com/07/02
http://thisdayintechhistory.com/07/03
http://thisdayintechhistory.com/07/04
http://thisdayintechhistory.com/07/05

 

Pokie Huang:

From Sourced Network Productions in New York City. “It’s 5:05”. I’m Pokie Huang. Today is Wednesday, July 5th. Here’s the full story behind today’s cybersecurity and open source headlines…

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

WordPress plugin, Ultimate Member, is vulnerable to a privileged escalation vulnerability that allows attackers to gain administrator access to the WordPress site. The plugin claims that it is the number one user profile and membership plugin for WordPress. It is used for membership access management for online communities and membership sites. It is a popular plugin with over 200,000 active installations. 

The technical details of the flaw tracked as CVE-2023-3460 are being withheld for now. The plugin’s maintainers have attempted to address the vulnerability in two versions. But security researchers were able to circumvent the updates in multiple ways.

The most recent fix version 2.6.7, which was released over the weekend, has fixed the issue, and anyone using the plugin should update immediately, as this vulnerability is actively being exploited in the wild.

Tracy Bannon: 

Over the past few weeks, a number of US soldiers opened their mail and found a pretty cool gift, a free smartwatch. What could be so bad about that? Free unsolicited smart electronics? Remember the adage that nothing in life is free except for bad coffee. 

Hello, this is Trac Bannon reporting from Salem, Massachusetts.

Getting a package in the mail is a pretty darn common event these days, but what if you don’t remember ordering something? I’ll admit that happens. Or my family orders something and uses my name for the mail to address. Still pretty common. This appears to be the case recently with US soldiers receiving unsolicited smart watches.

What could be the harm? Well, quite frankly, the sky is the limit. Smartwatches collect a ton of personal data, including health metrics, location, payment information, and biometric indicators. They also auto-connect to local wifi networks using cell phones. Here in the states, the Department of the Army Criminal Investigation Division, warns the devices may contain malware that could expose banking information, contacts, and account information such as usernames and passwords.

It gets a bit scarier when you consider camera and microphone access if the malware is spread to your cell phone. So get this. UK Police are warning runners and cyclists about burglaries and mugging risks when GPS connected wearables are being used. 

For me, what’s scary are the nuances of leveraging biometric indicators. That is the scariest. Why? The amount of social engineering and the possibility of biometric verification based on my unique physical or behavioral characteristics. 

This is some really bad stuff, Gang. Wearable devices like smartwatches and biosensors are on the climb with a prediction of the market hitting roughly $ 260 billion by 2026, according to the research firm MarketsAndMarkets. 

Whether military or not, if you receive unsolicited electronics, do not turn them on. Repeat, do not turn them on. If you are in the US military in particular, directly contact the Army’s CID. I will not be including the URL for the Army’s CID tip line, however, because my browser tells me that it is not using secure HTTP and won’t let me access it. Instead, call your security manager.

 Something to noodle on.

Hillary Coover: 

Hi, this is Hillary Coover. In a pilot project conducted by the Transportation Security Administration at 16 airports across the United States, facial recognition technology is being used to enhance air airport security and streamline procedures. Travelers voluntarily participate by inserting their ID card or placing their passport photo against a card reader, and then looking into a camera that compares their image to their identification.

While TSA claims the pilot is accurate and optional, critics raise concerns about bias in facial recognition technology, and potential privacy implications for passengers who wish to opt out. 

The technology has attracted scrutiny from elected officials and privacy advocates who fear increased biometric surveillance could pose risks to civil liberties. Some worry about the potential for data breaches or hacking attempts, as well as algorithmic bias that could disproportionately affect minorities. 

I realize the privacy concerns and distrust of biometric data collection by government persist, but biometrics are already widely used in privately owned technology and are not going anywhere.

I want to explore the positive side of this pilot program. First and foremost, enhanced security at the airport. If you have a known database of faceprints of criminals, trafficked victims, or their perpetrators, being able to quickly identify such situations could lead to safer air travel. I realize we’re a long way from that since TSA is not actually storing these images, but it could be a future outcome.

Second, identity automation could lead to streamlined procedures, resulting in shorter lines and more efficient airport operations.

Katy Craig: 

In a significant move, China announced export controls on gallium and germanium crucial metals, used in semiconductors in various technologies. China, the largest global producer of these metals, will require special licenses for their exports starting next month. 

This is Katie Craig in San Diego, California.

The decision is seen as part of the ongoing US-China technology battle in aims to safeguard China’s national security and interests. This coincides with US Treasury Secretary Janet Yellen’s upcoming visit to Beijing, adding further significance to the timing. 

The US has been actively curbing China’s access to advanced microprocessors and other critical technologies. Gallium and germanium are vital components in semiconductor communications and military equipment, as well as in products like solar panels. The semiconductor industry has become a focal point in the intense rivalry between the two largest economies. The US has taken measures to restrict China’s access to technology that it fears could be used for military purposes, particularly in supercomputing and artificial intelligence.

Last month, the Netherlands joined Japan in curbing exports of advanced technology know-how and materials to China. As the US-China Tech battle escalates, the future of artificial intelligence and whether China can surpass the US in this field, remain key questions. 

This is Katie Craig, stay safe out there.

Marcel Brown: 

This is Marcel Brown bringing you some technology history for July 2nd through the 5th. 

July 2nd, 1953. IBM announced its 650 series of computers, the first mass produced computer and the dominant computer of the decade. The IBM 650 stored information on a rotating magnetic drum and received it on programmed punch cards. Its memory stored numbers with up to 10 decimal digits. 

July 3rd, 1969. UCLA issues a press release stating that it will “become the first station in a nationwide computer network, which for the first time will link together computers of different makes and using different machine languages into one time sharing system.”

It went on to say that “Creation of the network represents a major forward step in computer technology and may serve as the forerunner of large computer networks of the future.” How right they were. Of course, this was the first step in creating what became known as the internet. 

The first transmission on that newly created internet wasn’t actually sent until October 29th of that year.

July 4th, 1956. MIT’s whirlwind, which had been completed five years earlier, becomes the first computer in the world to allow its users to enter commands through a keyboard. Previously, all input was accomplished through dials, switches, and or punch cards. 

July 5th, 1923. Kodak introduces the hand cranked Cine-Kodak Model A, the first complete 16 millimeter film system. 16 millimeter film was developed to be an amateur alternative to 35 millimeter film, most often used by professionals. However, it found widespread use during World War II and later for television production, especially TV News. 16 millimeter film is still in use today for certain applications.

That’s your technology history for today. For more, tune in tomorrow and visit my website ThisDayInTechHistory.com.

 

Pokie Huang:

That’s our updates for today, July 5th. I’m Pokie Huang. We’ll be back tomorrow… at 5:05.