from CSA Notice Regarding Coordinated Blanket Order 96-932 Re Temporary Exemptions from Certain Derivatives Data Reporting Requirements By www.osc.ca Published On :: Wed, 30 Oct 2024 18:15:28 GMT This document is only available as a PDF. Full Article
from From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25 By www.tenable.com Published On :: Tue, 22 Oct 2024 11:11:11 -0400 Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.BackgroundIn January 1999, David E. Mann and Steven M. Christey published the paper “Towards a Common Enumeration of Vulnerabilities” describing an effort to create interoperability between multiple vulnerability databases. To achieve a common taxonomy for vulnerabilities and exposures, they proposed Common Vulnerabilities and Exposures (CVE). In September 1999, the MITRE Corporation finalized the first CVE list, which included 321 records. CVE was revealed to the world the following month.As of October 2024, there are over 240,000 CVEs. including many that have significantly impacted consumers, businesses and governments. The Tenable Security Response Team has chosen to highlight the following 25 significant vulnerabilities, followed by links to product coverage for Tenable customers to utilize.25 Significant CVEsCVE-1999-0211: SunOS Arbitrary Read/Write VulnerabilityArbitrary ReadArbitrary WriteLocalCritical1999Why it’s significant: To our knowledge, there is no formally recognized “first CVE.” However, the GitHub repository for CVE.org shows that the first CVE submitted was CVE-1999-0211 on September 29, 1999 at 12:00AM. Because it was the first one, we’ve chosen to highlight it. The vulnerability was first identified in 1991 and a revised patch was issued in 1994.CVE-2010-2568: Windows Shell Remote Code Execution VulnerabilityRemote Code ExecutionExploitedZero-DayLocalStuxnetHigh2010Why it’s significant: Regarded as one of the most sophisticated cyberespionage tools ever created, Stuxnet was designed to target SCADA systems in industrial environments to reportedly sabotage Iran's nuclear program. Stuxnet exploited CVE-2010-2568 as one of its initial infection vectors, spreading via removable drives. Once a compromised USB drive was inserted into a system, Stuxnet was executed automatically via the vulnerability, infecting the host machine, propagating to other systems through network shares and additional USB drives.CVE-2014-0160: OpenSSL Information Disclosure VulnerabilityHeartbleedInformation DisclosureExploitedZero-DayNetworkCybercriminalsHigh2014Why it’s significant: Dubbed “Heartbleed” because it was found in the Heartbeat extension of OpenSSL, this vulnerability allows an attacker, without prior authentication, to send a malicious heartbeat request with a false length field, claiming the packet contains more data than it does. The receiving system would then return data from its memory extending beyond the legitimate request, which may include sensitive private data, such as server keys and user credentials. OpenSSL is used by millions of websites, cloud services, and even VPN software, for encryption, making Heartbleed one of the most widespread vulnerabilities at the time.CVE-2014-6271: GNU Bash Shellshock Remote Code Execution VulnerabilityShellshock Bash Bug Remote Code ExecutionExploitedZero-DayNetworkCybercriminalsCritical2014Why it’s significant: An attacker could craft an environment variable that contained both a function definition and additional malicious code. When Bash, a command interpreter used by Unix-based systems including Linux and macOS, processed this variable, it would execute the function, but also run the arbitrary commands appended after the function definition. “Shellshock” quickly became one of the most severe vulnerabilities discovered, comparable to Heartbleed’s potential impact. Attackers could exploit Shellshock to gain full control of vulnerable systems, leading to data breaches, service interruptions and malware deployment. The impact extended far beyond local systems. Bash is used by numerous services, particularly web servers, via CGI scripts to handle HTTP requests.CVE-2015-5119: Adobe Flash Player Use After FreeRemote Code Execution Denial-of-ServiceExploitedZero-DayCybercriminalsAPT GroupsCritical2015Why it’s significant: Discovered during the Hacking Team data breach, it was quickly weaponized, appearing in multiple exploit kits. CVE-2015-5119 is a use-after-free flaw in Flash’s ActionScript ByteArray class, allowing attackers to execute arbitrary code by tricking users into visiting a compromised website. It was quickly integrated into attack frameworks used by Advanced Persistent Threat (APT) groups like APT3, APT18, and Fancy Bear (APT28). These groups, with ties to China and Russia, used the vulnerability to spy on and steal data from governments and corporations. Fancy Bear has been associated with nation-state cyber warfare, exploiting Flash vulnerabilities for political and military intelligence information gathering. This flaw, along with several other Flash vulnerabilities, highlighted Flash’s risks, accelerating its eventual phase-out.CVE-2017-11882: Microsoft Office Equation Editor Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsHigh2017Why it’s significant: The vulnerability existed for 17 years in Equation Editor (EQNEDT32.EXE), a Microsoft Office legacy component used to insert and edit complex mathematical equations within documents. Once CVE-2017-11882 became public, cybercriminals and APT groups included it in maliciously crafted Office files. It became one of 2018’s most exploited vulnerabilities and continues to be utilized by various threat actors including SideWinder.CVE-2017-0144: Windows SMB Remote Code Execution VulnerabilityEternalBlueRemote Code ExecutionExploitedNetworkWannaCry NotPetyaHigh2017Why it’s significant: CVE-2017-0144 was discovered by the National Security Agency (NSA) and leaked by a hacker group known as Shadow Brokers, making it widely accessible. Dubbed “EternalBlue,” its capacity to propagate laterally through networks, often infecting unpatched machines without human interaction, made it highly dangerous. It was weaponized in the WannaCry ransomware attack in May 2017 and spread globally. It was reused by NotPetya, a data-destroying wiper originally disguised as ransomware. NotPetya targeted companies in Ukraine before spreading worldwide. This made it one of history’s costliest cyberattacks.CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkEquifax BreachCritical2017Why it’s significant: This vulnerability affects the Jakarta Multipart Parser in Apache Struts 2, a popular framework for building Java web applications. An attacker can exploit it by injecting malicious code into HTTP headers during file uploads, resulting in remote code execution (RCE), giving attackers control of the web server. CVE-2017-5638 was used in the Equifax breach, where personal and financial data of 147 million people was stolen, emphasizing the importance of patching widely-used frameworks, particularly in enterprise environments, to prevent catastrophic data breaches.CVE-2019-0708: Remote Desktop Services Remote Code Execution VulnerabilityBlueKeep DejaBlue Remote Code ExecutionExploitedNetworkRansomware GroupsCybercriminalsCritical2019Why it’s significant: Dubbed "BlueKeep," this vulnerability in Windows Remote Desktop Services (RDS) was significant for its potential for widespread, self-propagating attacks, similar to the infamous WannaCry ransomware. An attacker could exploit this flaw to execute arbitrary code and take full control of a machine through Remote Desktop Protocol (RDP), a common method for remote administration. BlueKeep was featured in the Top Routinely Exploited Vulnerabilities list in 2022 and was exploited by affiliates of the LockBit ransomware group.CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution VulnerabilitySMBGhost EternalDarknessRemote Code ExecutionExploited NetworkCybercriminalsRansomware GroupsCritical2020Why it’s significant: Its discovery evoked memories of EternalBlue because of the potential for it to be wormable, which is what led to it becoming a named vulnerability. Researchers found it trivial to identify the flaw and develop proof-of-concept (PoC) exploits for it. It was exploited in the wild by cybercriminals, including the Conti ransomware group and its affiliates.CVE-2019-19781: Citrix ADC and Gateway Remote Code Execution VulnerabilityPath TraversalExploitedNetworkAPT GroupsRansomware GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway is significant due to its rapid exploitation by multiple threat actors, including state-sponsored groups and ransomware affiliates. By sending crafted HTTP requests, attackers could gain RCE and take full control of affected devices to install malware or steal data. The vulnerability remained unpatched for a month after its disclosure, leading to widespread exploitation. Unpatched systems are still being targeted today, highlighting the risk of ignoring known vulnerabilities.CVE-2019-10149: Exim Remote Command Execution VulnerabilityRemote Command ExecutionExploitedNetworkAPT GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Exim, a popular Mail Transfer Agent, allows attackers to execute arbitrary commands with root privileges simply by sending a specially crafted email. The availability of public exploits led to widespread scanning and exploitation of vulnerable Exim servers, with attackers using compromised systems to install cryptocurrency miners (cryptominers), launch internal attacks or establish persistent backdoors. The NSA warned that state-sponsored actors were actively exploiting this flaw to compromise email servers and gather sensitive information.CVE-2020-1472: Netlogon Elevation of Privilege VulnerabilityZerologonElevation of PrivilegeExploitedLocalRansomware GroupsAPT GroupsCybercriminalsCritical2020Why it’s significant: This vulnerability in the Netlogon Remote Protocol (MS-NRPC) allows attackers with network access to a Windows domain controller to reset its password, enabling them to impersonate the domain controller and potentially take over the entire domain. Its severity was underscored when Microsoft reported active exploitation less than two months after disclosure and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to patch the flaw. Despite available patches, it continues to be exploited by ransomware groups, APT groups, and others, highlighting its broad and ongoing impact on network security.CVE-2017-5753: CPU Speculative Execution Bounds Check Bypass VulnerabilitySpectreSpeculative Execution Bounds Check BypassLocalMedium2018Why it’s significant: In a speculative execution process, an idle microprocessor waiting to receive data speculates what the next instruction might be. Although meant to enhance performance, this process became a fundamental design flaw affecting the security of numerous modern processors. In Spectre’s case, an attacker-controlled process could read arbitrary memory belonging to another process. Since its discovery in January 2018, Spectre has affected nearly all modern processors from Intel, AMD and ARM. While it’s difficult to execute a successful Spectre attack, fully remediating the root cause is hard and requires microcode as well as operating system updates to mitigate the risk.CVE-2017-5754: CPU Speculative Execution Rogue Data Cache Load VulnerabilityMeltdownSpeculative Execution Rogue Data Cache LoadLocalHigh2018Why it’s significant: Meltdown, another speculative execution vulnerability released alongside Spectre, can allow a userspace program to read privileged kernel memory. It exploits a race condition between the memory access and privilege checking while speculatively executing instructions. Meltdown impacts desktop, laptop and cloud systems and, according to researchers, may affect nearly every Intel processor released since 1995. With a wide reaching impact, both Spectre and Meltdown sparked major interest in a largely unexplored security area. The result: a slew of research and vulnerability discoveries, many of which were also given names and logos. While there’s no evidence of a successful Meltdown exploit, the discovery showcased the risk of security boundaries enforced by hardware.CVE-2021-36942: Windows LSA Spoofing VulnerabilityPetitPotamSpoofingExploitedZero-DayNetworkRansomware GroupsHigh2021Why it’s significant: This vulnerability can force domain controllers to authenticate to an attacker-controlled destination. Shortly after a PoC was disclosed, it was adopted by ransomware groups like LockFile, which have chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers. Patched in the August 2021 Patch Tuesday release, the initial patch for CVE-2021-36942 only partially mitigated the issue, with Microsoft pushing general mitigation guidance for defending against NTLM Relay Attacks.CVE-2022-30190: Microsoft Windows Support Diagnostic Tool Remote Code ExecutionFollinaRemote Code ExecutionExploitedZero-DayLocalQakbot RemcosHigh2022Why it’s significant: Follina, a zero-day RCE vulnerability in MSDT impacting several versions of Microsoft Office, was later designated CVE-2022-30190. After public disclosure in May 2022, Microsoft patched Follina in the June 2022 Patch Tuesday. After disclosure, reports suggested that Microsoft dismissed the flaw’s initial disclosure as early as April 2022. Follina has been widely adopted by threat actors and was associated with some of 2021’s top malware strains in a joint cybersecurity advisory from CISA and the Australian Cyber Security Centre (ACSC), operating under the Australian Signals Directorate (ASD).CVE-2021-44228: Apache Log4j Remote Code Execution VulnerabilityLog4ShellRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsCritical2021Why it’s significant: Log4j, a Java logging library widely used across many products and services, created a large attack surface. The discovery of CVE-2021-44228, dubbed “Log4Shell,” caused great concern, as exploitation simply requires sending a specially crafted request to a server running a vulnerable version of Log4j. After its disclosure, Log4Shell was exploited in attacks by cryptominers, DDoS botnets, ransomware groups and APT groups including those affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC).CVE-2021-26855: Microsoft Exchange Server Server-Side Request Forgery VulnerabilityProxyLogonServer-Side Request Forgery (SSRF)ExploitedZero-DayNetworkAPT Groups Ransomware GroupsCybercriminalsCritical2021Why it’s significant: CVE-2021-26855 was discovered as a zero-day along with four other vulnerabilities in Microsoft Exchange Server. It was exploited by a nation-state threat actor dubbed HAFNIUM. By sending a specially crafted HTTP request to a vulnerable Exchange Server, an attacker could steal the contents of user mailboxes using ProxyLogon. Outside of HAFNIUM, ProxyLogon has been used by ransomware groups and other cybercriminals. Its discovery created a domino effect, as other Exchange Server flaws, including ProxyShell and ProxyNotShell, were discovered, disclosed and subsequently exploited by attackers.CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution VulnerabilityPrintNightmareRemote Code ExecutionExploitedLocalAPT GroupsRansomware GroupsCybercriminalsHigh2021Why it’s significant: This RCE in the ubiquitous Windows Print Spooler could grant authenticated attackers arbitrary code execution privileges as SYSTEM. There was confusion surrounding the disclosure of this flaw, identified as CVE-2021-34527 and dubbed “PrintNightmare.” Originally, CVE-2021-1675, disclosed in June 2021, was believed to be the real PrintNightmare. However, Microsoft noted CVE-2021-1675 is “similar but distinct” from PrintNightmare. Since its disclosure, several Print Spooler vulnerabilities were disclosed, while a variety of attackers, including the Magniber and Vice Society ransomware groups exploited PrintNightmare.CVE-2021-27101: Accellion File Transfer Appliance (FTA) SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2021Why it’s significant: The file transfer appliance from Accellion (now known as Kiteworks) was exploited as a zero-day by the CLOP ransomware group between December 2020 and early 2021. Mandiant, hired by Kiteworks to investigate, determined that CLOP (aka UNC2546) exploited several flaws in FTA including CVE-2021-27101. This was CLOP’s first foray into targeting file transfer solutions, as they provide an easy avenue for the exfiltration of sensitive data that can be used to facilitate extortion.CVE-2023-34362: Progress Software MOVEit Transfer SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2023Why it’s significant: CLOP’s targeting of file transfer solutions culminated in the discovery of CVE-2023-34362, a zero-day in Progress Software’s MOVEit Transfer, a secure managed file transfer software. CLOP targeted MOVEit in May 2023 and the ramifications are still felt today. According to research conducted by Emsisoft, 2,773 organizations have been impacted and information on over 95 million individuals has been exposed as of October 2024. This attack underscored the value in targeting file transfer solutions.CVE-2023-4966: Citrix NetScaler and ADC Gateway Sensitive Information Disclosure VulnerabilityCitrixBleedInformation DisclosureExploitedZero-DayNetworkRansomware GroupsAPT GroupsCritical2023Why it’s significant: CVE-2023-4966, also known as “CitrixBleed,” is very simple to exploit. An unauthenticated attacker could send a specially crafted request to a vulnerable NetScaler ADC or Gateway endpoint and obtain valid session tokens from the device’s memory. These session tokens could be replayed back to bypass authentication, and would persist even after the available patches had been applied. CitrixBleed saw mass exploitation after its disclosure, and ransomware groups like LockBit 3.0 and Medusa adopted it.CVE-2023-2868: Barracuda Email Security Gateway (ESG) Remote Command Injection VulnerabilityRemote Command InjectionExploitedZero-DayNetworkAPT GroupsCritical2023Why it’s significant: Researchers found evidence of zero-day exploitation of CVE-2023-2868 in October 2022 by the APT group UNC4841. While Barracuda released patches in May 2023, the FBI issued a flash alert in August 2023 declaring them “ineffective,” stating that “active intrusions” were being observed on patched systems. This led to Barracuda making an unprecedented recommendation for the “immediate replacement of compromised ESG appliances, regardless of patch level.”CVE-2024-3094: XZ Utils Embedded Malicious Code VulnerabilityEmbedded Malicious CodeZero-DayUnknown Threat Actor (Jia Tan)Critical2024Why it’s significant: CVE-2024-3094 is not a traditional vulnerability. It is a CVE assigned for a supply-chain backdoor discovered in XZ Utils, a compression library found in various Linux distributions. Developer Andres Freund discovered the backdoor while investigating SSH performance issues. CVE-2024-3094 highlighted a coordinated supply chain attack by an unknown individual that contributed to the XZ GitHub project for two and a half years, gaining the trust of the developer before introducing the backdoor. The outcome of this supply chain attack could have been worse were it not for Freund’s discovery.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-1999-0211CVE-2010-2568CVE-2014-0160CVE-2014-6271CVE-2015-5119CVE-2017-11882CVE-2017-0144CVE-2017-5638CVE-2019-0708CVE-2020-0796CVE-2019-19781CVE-2019-10149CVE-2020-1472CVE-2017-5753CVE-2017-5754CVE-2021-36942CVE-2022-30190CVE-2021-44228CVE-2021-26855CVE-2021-34527CVE-2021-27101CVE-2023-34362CVE-2023-4966CVE-2023-2868CVE-2024-3094 Full Article
from Context Is King: From Vulnerability Management to Exposure Management By www.tenable.com Published On :: Thu, 07 Nov 2024 08:30:00 -0500 Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.A critical vulnerability has been disclosed and attackers worldwide are actively exploiting it in the wild. Your vulnerability management team jumps into action and determines that the vulnerability is present in hundreds of your organization’s assets. Which ones do you patch first? How do you prioritize your remediation efforts? What criteria do you use? The clock is ticking. Hackers are on the prowl.Historically, your vulnerability management team would rely on severity scores like Vulnerability Priority Rating (VPR). This is a great start, but only gives you one indicator of risk. To prioritize remediation precisely and effectively, you need to consider a variety of other criteria, such as a vulnerable asset’s type, owner, and function; the access-level and privileges on the asset; and critical attack paths into your environment.This type of comprehensive, holistic context will let you prioritize correctly, but it can only be achieved with a different approach that goes beyond traditional vulnerability management. That approach is exposure management. With exposure management, your vulnerability management team would be able to pinpoint the subset of assets affected by our hypothetical vulnerability that, for example, are externally accessible, possess domain-level privileges and are part of a critical attack path. That way they would know where the greatest risk is and what they need to remediate first. Having this deep insight, context and visibility transforms the risk assessment equation, and allows your vulnerability management team to move decisively, quickly and strategically.In this blog, we’ll outline why it’s imperative for your vulnerability management teams to shift to an exposure management mindset, and we’ll explain how Tenable can help them do it.To pinpoint riskiest vulns, vulnerability management needs broader exposure context In today's evolving cybersecurity landscape, vulnerability management remains one of the foundational pieces of an organization's proactive defense strategy. However, these teams still have difficulty in addressing the increased level of risks posed by the continuous surge of Common Vulnerabilities and Exposures (CVEs) and other flaws.Many security teams are frequently overwhelmed by the sheer volume of vulnerabilities with limited resources to manage them effectively. The sophistication and speed of threat actors has escalated, with attackers having more entry points and using new tactics, techniques and procedures to access other critical areas of the business - demonstrating that attacks are no longer linear but multifaceted.It’s common for security teams to struggle with:Vulnerability overload - This long-standing problem keeps getting worse. Security teams are finding it more difficult than ever to sift through the avalanche of CVEs and identify the areas of the business that have the most risk. Lack of exposure context for prioritization - Your teams are making decisions while missing layers of context. Threat intelligence and vulnerability severity are a great start, but limiting yourself to them doesn’t give you the full context you need to prioritize properly. Slow remediation response - Both proactive and reactive security teams devote massive amounts of time to responding to critical vulnerabilities. Resources are spread thin, making it more important than ever for teams to confidently identify the most high risk exposures when recommending remediation efforts.Need to shift from a vulnerability to an exposure mindsetKnowing the struggles that you are dealing with today can help illuminate the benefits of exposure management. The missing links between a vulnerability and an exposure are the additional layers of context. Having multidimensional context enables you to understand not just the vulnerabilities themselves but their potential impact within the broader attack surface. This approach provides a more comprehensive view of an organization's security posture by considering factors such as threat intelligence, asset criticality, identities and access, as well as other pieces of context. With this additional information, you spend significantly less time sorting through stacks of similar vulnerabilities and you can be more focused on identifying key issues that pose risk - exposures.For those who have never heard of exposure management or are just getting started, there are many benefits to this discipline. When it comes to Tenable’s approach, we adopt that same mentality with our exposure management platform. The goal is simple: exposure management empowers organizations to prioritize remediation efforts more effectively. It surfaces information that helps develop strategies to address not only the vulnerabilities themselves but the emergence of exposures that could lead to significant breaches.The jump from vulnerability to exposureBridging the gap from vulnerability management to exposure management requires connecting context across the entire attack surface. Vulnerability management provides context that predicts the likelihood of an attack and displays key drivers, age of vulnerability and threat sources. These attributes are helpful, but we can go much further to improve our prioritization effectiveness. This requires having broader visibility and deeper insights across the attack surface to understand the bigger picture of exposures.Specifically, security teams need additional context around:Asset context - There are many levels to an asset that can help drive prioritization decisions. It’s key to understand the criticality of an asset related to its type, function, owner name and its relationships to other assets. Even knowing if the asset is accessible from the internet or not will shape how its remediation is prioritized. Identities - Identities serve as the cornerstone for successful attacks, so it’s key to contextualize them for exposure management. Understanding user-privilege levels, entitlements and user information can help prevent attackers from gaining privilege escalation and moving laterally. Focusing prioritization efforts on vulnerable assets with domain and admin-level privileges is a critical best practice in order to reduce the likelihood of a breach. Threat context - Having various levels of threat context is also important to prioritize exposures. We know that threats change over time, so leveraging dynamic scoring like VPR or Asset Exposure Score (AES) can show indicators of risk. We can also bring in context from attack path modeling to influence remediation decisions based on the attacker’s perspective by understanding the number of critical attack paths or choke points in your environment.When security analysts have this additional information, they can now truly understand the breadth and depth of the exposure. This is how prioritization is done in this new world of exposure management.Introducing Exposure SignalsTo help make it easier for you to shift to this exposure management mindset, we have developed a new prioritization capability called Exposure Signals. Available in Tenable One, Tenable’s exposure management platform, Exposure Signals allows security teams to have more comprehensive context in a centralized place for a focused view of risk. There are two ways to use these new Exposure Signals. The first is to access a comprehensive library of high-risk, prebuilt signals. Easy to refer to, they signal potential risk in your environment and create a great starting point for you to get your exposure management juices flowing. For example, you can easily see and refer to: Domain admin group on internet-exposed hosts with critical vulnerabilitiesDevices exposed to the internet via RDP with an associated identity account with a compromised passwordCloud assets with critical severity findings and asset exposure score above 700Exposure Signals allow you to track the number of violations that signal high-risk scenarios in your environment. View this list on a regular basis to see how it changes over time with its unique trendline. Take exploration into your own hands by viewing the impacted asset and its contextual intelligence in our Inventory Module. The second way to use Exposure Signals is by creating your own signals using a query builder or natural language processing (NLP) search powered by ExposureAI. That way, you can go as broad or as precise as needed. For example, let’s say there is a new zero day vulnerability that sweeps the industry, similar to Log4Shell. You can easily create a signal to target which assets have the vulnerability, are internet facing and have domain admin-level privileges. We are stringing these components together so that you can understand your true risk and better direct your prioritization efforts.To learn more about Tenable One and Exposure Signals, check out our interactive demo: Full Article
from Social Media for Science Outreach – A Case Study: Lessons From a Campaign Twitter Account By www.nature.com Published On :: Fri, 24 May 2013 10:07:42 +0000 James King is a geomorphologist interested in exploring the processes that govern sediment transport and Full Article Featured Guest Posts Outreach SpotOn NYC (#SoNYC) #reachingoutsci Social Media Case Study
from Canadian securities regulators publish coordinated blanket orders to provide temporary exemptions from certain derivatives data reporting requirements By www.osc.ca Published On :: Wed, 30 Oct 2024 17:52:49 GMT TORONTO – The Canadian Securities Administrators (CSA) today published Full Article
from SpotOn London 2012 Storify: Fixing the fraud: how do we safeguard science from misconduct? By www.nature.com Published On :: Wed, 14 Nov 2012 12:00:49 +0000 #solo12fraud Full Article Featured Policy SpotOn London (#SoLo) Storifys #solo12fraud
from You look like death : tales from the Umbrella Academy / story, Gerard Way and Shaun Simon ; art & colors, I.N.J. Culbard ; letters, Nate Piekos of Blambot ; cover and chapter breaks by Gabriel Bá. By library.gcpl.lib.oh.us Published On :: "When 18-year-old Klaus gets himself kicked out of the Umbrella Academy and his allowance discontinued, he heads to a place where his ghoulish talents will be appreciated— Hollywood. But after a magical high on a stash stolen from a vampire drug lord, Klaus needs help, and doesn't have his siblings there to save him." -- Provided by publisher. Full Article
from Innovations of targeted poverty reduction governance and policy in Zhejiang Province: Insights from China’s post-2020 anti-poverty strategy [in Chinese] By www.ifpri.org Published On :: Tue, 03 Nov 2020 5:05:01 EST Full Article
from Reflections on rural revitalization from a global perspective [in Chinese] By www.ifpri.org Published On :: Fri, 11 Dec 2020 5:05:01 EST Full Article
from Armed conflict and business operations in Sudan: Survey evidence from agri-food processing firms [in Arabic] By www.ifpri.org Published On :: Sat, 21 Oct 2023 5:05:01 EDT Full Article
from Do safety net programs reduce conflict risk? Evidence from a large-scale public works program in Ethiopia By essp.ifpri.info Published On :: Wed, 06 Nov 2024 09:08:15 +0000 Summary of the findings • We find that the PSNP did not significantly alter the risk of violent events. • However, it had a negative impact on demonstrations (protests and riots) as well as fatalities. • These effects are most pronounced during the period of 2014-18, coinciding with widespread protests in Amhara and Oromia, the […] Source: IFPRI Ethiopia: Ethiopia Strategy Support Program Full Article News Presentations Publications
from Do social protection programs reduce conflict risk? Evidence from a large-scale safety net program in rural Ethiopia By essp.ifpri.info Published On :: Wed, 06 Nov 2024 09:10:32 +0000 PSNP is largest public works program in Africa • Started in 2005 in four main highland regions • Approximately 8 million participants • We examine the effect of PSNP on both high-intensity and low-intensity conflict • Using Govt. of Ethiopia administrative PSNP records and geocoded data on conflict events (Armed Conflict Location & Event Data […] Source: IFPRI Ethiopia: Ethiopia Strategy Support Program Full Article News Presentations Publications
from From risk to resilience: How strategic government partnerships By africa.ifpri.info Published On :: Thu, 07 Nov 2024 16:08:00 +0000 From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia By Martina Source: IFPRI Africa Regional Office (AFR) Full Article Africa Blog Climate Change News Resilience Risk and Insurance Zambia Southern Africa
from How can African agriculture adapt to climate change: The impact of climate change and adaptation on food production in low-income countries: Evidence from the Nile Basin, Ethiopia [in Amharic] By www.ifpri.org Published On :: Sat, 07 Feb 2015 2:14:37 EST Growing consensus in the scientific community indicates that higher temperatures and changing precipitation levels resulting from climate change will depress crop yields in many countries over the coming decades. This is particularly true in low-income countries, where adaptive capacity is low. Many African countries are particularly vulnerable to climate change because their economies largely depend on climate-sensitive agricultural production. Full Article
from How can African agriculture adapt to climate change: Risk aversion in low-income countries: Experimental evidence from Ethiopia [in Amharic] By www.ifpri.org Published On :: Sat, 07 Feb 2015 2:14:37 EST Agricultural production remains the main source of livelihood for rural communities in Sub-Saharan Africa, providing employment to more than 60 percent of the population and contributing about 30 percent of gross domestic product. With likely long-term changes in rainfall patterns and shifting temperature zones, climate change is expected to significantly affect agricultural production, which could be detrimental to the region’s food security and economic growth. Full Article
from Dear Juliet : letters from the lovestruck and lovelorn to Shakespeare's Juliet in Verona. By library.gcpl.lib.oh.us Published On :: Every year, over 10,000 letters addressed to Juliet Capulet arrive in Verona, Italy, the famous hometown of Shakespeare's Romeo & Juliet. These handwritten letters come from people all over the world, seeking guidance and support from Juliet herself. Capturing the pain, joy, humor, and confusion of love, the 60 letters in this book offers encouragement, comfort, hope-and a nod to the human condition. Including responses from Juliet herself, this romantic and relatable, and perfect as a Valentine's Day gift, Dear Juliet proves that love is the universal language. Full Article
from Dear Lilly : from father to daughter : the truth about life, love, and the world we live in. By library.gcpl.lib.oh.us Published On :: A father offers his advice, opinions, and the many useful stories gleaned from his past experiences in order to help his beloved daughter not only survive, but thrive in the dangerous and unpredictable world of young adulthood. From the pen of a former abused child, drug addict, womanizing frat boy, and suicidal depressive, comes forth the emotionally stirring account of a young man's battle with crippling inner demons and his eventual road to enlightenment. Peter Greyson calls upon his wisdom as both father and school teacher to gently lead teenage girls through a maze of truth, deception, and adolescent uncertainty. Greyson's literary style sparkles with a youthful enthusiasm that will capture your heart and provide boundless inspiration. Dear Lilly is a survival guide that offers the brutally honest male perspective to young women struggling for answers to life's deepest questions. Topics include: Boys lie What every guy wants from his girlfriend Tales from the drug world Everybody hurts High school exposed Full Article
from Dear Mary : lessons from the mother of Jesus for the modern mom / Sarah Jakes. By library.gcpl.lib.oh.us Published On :: Hopeful, Inspiring Message for Moms from Sarah Jakes Mary, the mother of Jesus, is a remarkable example of quiet, resilient faith and courage in the face of adversity. From the angel's first announcement of her pregnancy to the death and resurrection of her son, Mary was witness to our Lord and Savior in a unique and special way. And as a mother herself, she speaks to the modern-day mom in a way few have explored before. Writing in the form of letters, Sarah Jakes examines the life of Mary--and through Mary, Jesus--to better understand what a life of faith looks like. Maybe you struggle to trust God's will for your life. Perhaps you have fears and insecurities that keep you from realizing the joy God wants for you, or the thought of raising little ones overwhelms you. Through the example of Mary, discover the freedom that only true faith can bring. Full Article
from Dear Mendl, dear Reyzl : Yiddish letter manuals from Russia and America / Alice Nakhimovsky and Roberta Newman. By library.gcpl.lib.oh.us Published On :: At the turn of the 20th century, Jewish families scattered by migration could stay in touch only through letters. Jews in the Russian Empire and America wrote business letters, romantic letters, and emotionally intense family letters. But for many Jews who were unaccustomed to communicating their public and private thoughts in writing, correspondence was a challenge. How could they make sure their spelling was correct and they were organizing their thoughts properly? A popular solution was to consult brivnshtelers, Yiddish-language books of model letters. Dear Mendl, Dear Reyzl translates selections from these model-letter books and includes essays and annotations that illuminate their role as guides to a past culture. Full Article
from Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal By www.ifpri.org Published On :: Wed, 21 Aug 2024 16:11:56 +0000 Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal Integrating key goals of food system transformation. The post Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal appeared first on IFPRI. Full Article
from Limiting deforestation involves complex tradeoffs: Results from a global land-use model By www.ifpri.org Published On :: Fri, 13 Sep 2024 18:10:17 +0000 Limiting deforestation involves complex tradeoffs: Results from a global land-use model Many dimensions of combating climate change. The post Limiting deforestation involves complex tradeoffs: Results from a global land-use model appeared first on IFPRI. Full Article
from How much does take-up timing for agricultural inputs depend on price? Evidence from an experiment in Nigeria By www.ifpri.org Published On :: Wed, 18 Sep 2024 16:34:45 +0000 How much does take-up timing for agricultural inputs depend on price? Evidence from an experiment in Nigeria Insights into buying behavior. The post How much does take-up timing for agricultural inputs depend on price? Evidence from an experiment in Nigeria appeared first on IFPRI. Full Article
from Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria By www.ifpri.org Published On :: Thu, 26 Sep 2024 16:29:26 +0000 Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria Examining the effectiveness of vouchers and marketing information. The post Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria appeared first on IFPRI. Full Article
from From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia By www.ifpri.org Published On :: Thu, 07 Nov 2024 14:58:06 +0000 From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia The power of bundled solutions The post From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia appeared first on IFPRI. Full Article
from Resource-poor rice farmers in Myanmar suffer double impact from political conflict By www.ifpri.org Published On :: Tue, 12 Nov 2024 17:09:45 +0000 Resource-poor rice farmers in Myanmar suffer double impact from political conflict Productivity erodes amid turmoil. The post Resource-poor rice farmers in Myanmar suffer double impact from political conflict appeared first on IFPRI. Full Article
from Rules for resistance : advice from around the globe for the age of Trump / edited and with an introduction by David Cole ; co-edited by Melanie Wachtell Stinnett. By library.gcpl.lib.oh.us Published On :: Full Article
from Novel destinations : a travel guide to literary landmarks from Jane Austen's Bath to Ernest Hemingway's Key West / Shannon McKenna Schmidt & Joni Rendon ; foreword by Matthew Pearl. By library.gcpl.lib.oh.us Published On :: "Follow in the footsteps of much loved authors, discover the landscapes that sparked their imaginations, and learn behind-the-scenes stories in this expanded and completely updated second edition of Novel Destinations. Across more than 500 literary locales in the United States, Europe, and elsewhere, experience famous authors' homes, book festivals, literary walking tours, lodgings, restaurants, bars for bibliophiles, and much more."--page 4 of cover. Full Article
from Science Café: A problem so small you can see it from space (November 13, 2024 5:30pm) By events.umich.edu Published On :: Thu, 31 Oct 2024 13:30:30 -0400 Event Begins: Wednesday, November 13, 2024 5:30pm Location: Off Campus Location Organized By: Museum of Natural History Do we really consume a credit card’s worth of microplastics in a week? If microplastics are so small, how can they have such a big impact on our waterways? What are microplastics, anyway? Explore these questions and more at November's Science Café! Please join Chris Ruf, Principal Investigator of the Remote Sensing Group (RSG) in the Climate and Space Sciences and Engineering Department (CLaSP) and graduate student Gopal Sundaram of the College of Engineering; Melissa Duhaime, Associate Professor in the Department of Ecology and Evolutionary Biology; and members of the Duhaime Lab (Rachel Cable, Lizy Michaelson, Skyler Har), for a discussion about one of our planet’s biggest tiny problems. Full Article Lecture / Discussion
from WCEE Exhibition. Verses from a Nation in Transition. Ukraine in Photographs by Joseph Sywenkyj (November 13, 2024 8:00am) By events.umich.edu Published On :: Tue, 01 Oct 2024 14:49:29 -0400 Event Begins: Wednesday, November 13, 2024 8:00am Location: Weiser Hall Organized By: Weiser Center for Europe and Eurasia Joseph Sywenkyj is the 2024-25 Weiser Center for Europe and Eurasia’s Distinguished Fellow, and a Knight-Wallace Fellow at the University of Michigan. An award-winning American photographer of Ukrainian descent, Sywenkyj has lived and worked in Ukraine for the last two decades. He has worked throughout Europe and Central Asia for numerous publications and is a frequent contributor to *The Wall Street Journal*. His photographs have been exhibited in galleries and museums, including the United Nations Visitor’s Lobby in New York and the Taras Shevchenko National Museum in Kyiv. If there is anything we can do to make this event accessible to you, please contact us. Please be aware that advance notice is necessary as some accommodations may require more time for the university to arrange. Full Article Exhibition
from World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal” By www.ifpri.org Published On :: Wed, 09 Oct 2024 18:55:55 +0000 World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal” October 22, 2024 8:30 – 10:00 am (CDT) 9:30 – 11:00 am (EDT) Register IFPRI is participating in the 2024 Norman E. Borlaug International Dialogue. This year’s theme, “Seeds of Opportunity: Bridging Generations and Cultivating Diplomacy”, will emphasizes the vital role of integrating past wisdom, current innovations and the pressing needs of tomorrow, by leveraging […] The post World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal” appeared first on IFPRI. Full Article
from How do we prioritize agrifood system policies and investments? Insights from the RIAPA modeling system By www.ifpri.org Published On :: Tue, 04 Jun 2024 15:17:20 EDT Virtual Event: June 12, 2024 at 10:00am-11:00am EDT. In this webinar, we will demonstrate how RIAPA has been used to identify priority agricultural value chains that most effectively contribute to development outcomes. Full Article
from Reviving public extension for climate-resilient agriculture: Lessons and insights from India, Indonesia, and Nepal By www.ifpri.org Published On :: Thu, 13 Jun 2024 11:10:38 EDT Integrating reforms with global goals. Full Article
from The mouse multi-organ proteome from infancy to adulthood - Nature.com By news.google.com Published On :: Tue, 09 Jul 2024 07:00:00 GMT The mouse multi-organ proteome from infancy to adulthood Nature.com Full Article
from Use of Proteomics for Dietary Reconstruction: A Case Study Using Animal Teeth from Ancient Mesopotamia - ACS Publications By news.google.com Published On :: Thu, 15 Aug 2024 07:00:00 GMT Use of Proteomics for Dietary Reconstruction: A Case Study Using Animal Teeth from Ancient Mesopotamia ACS Publications Full Article
from Large-scale proteomics analysis of five brain regions from Parkinson’s disease patients with a GBA1 mutation - Nature.com By news.google.com Published On :: Thu, 08 Feb 2024 08:00:00 GMT Large-scale proteomics analysis of five brain regions from Parkinson’s disease patients with a GBA1 mutation Nature.com Full Article
from Mass spectrometry-based proteomics data from thousands of HeLa control samples | Scientific Data - Nature.com By news.google.com Published On :: Tue, 23 Jan 2024 08:00:00 GMT Mass spectrometry-based proteomics data from thousands of HeLa control samples | Scientific Data Nature.com Full Article
from AnnoSpat annotates cell types and quantifies cellular arrangements from spatial proteomics - Nature.com By news.google.com Published On :: Fri, 03 May 2024 07:00:00 GMT AnnoSpat annotates cell types and quantifies cellular arrangements from spatial proteomics Nature.com Full Article
from Let CTA Get You Over the Finish Line to and from the 2024 Bank of America Chicago Marathon By www.transitchicago.com Published On :: Thu, 10 Oct 2024 05:00:00 GMT CTA will be providing added capacity, so whether you plan to run or cheer on the runners, take a train or bus to avoid the headaches of traffic and parking near the route of the 2024 Bank of America Chicago Marathon and Abbott Health and Fitness Expo at McCormick Place. For details about marathon service, you can find it here on CTA’s dedicated Bank of America Chicago Marathon webpage. Full Article
from Escape from Russia By www.npr.org Published On :: Wed, 16 Mar 2022 23:13:35 +0000 An American business owner with employees in Russia extracts her colleagues from the country. | Subscribe to our weekly newsletter here.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from The quest to save macroeconomics from itself By www.npr.org Published On :: Fri, 07 Jul 2023 23:13:53 +0000 When it comes to big questions about the economy, we're still kind of in the dark ages. Why do some economies grow so much faster than others? How long is the next recession going to last? How do we stop inflation without wrecking the rest of the economy? These questions are the domain of macroeconomics. But even some macroeconomists themselves admit: While we have many theories about how the economy works, we have very few satisfying answers.Emi Nakamura wants to change all that. She's a superstar economist who is a pioneer in the field of "empirical macroeconomics." She finds clever ways of using data to untangle some of the oldest mysteries in macroeconomics, about the invisible hand, the consequences of government spending, and the inner workings of inflation.Recently we called her up to ask her why the economy is so difficult to understand in first place, and how she's trying to find answers anyway. She gets into all of that, and how Jeff Goldblum shaped her career as an economist, in this episode. This show was hosted by Jeff Guo and Nick Fountain. It was produced by Dave Blanchard with help from Sam Yellowhorse Kesler. It was engineered by Josephine Nyounai and fact checked by Sierra Juarez. Keith Romer edited the show. Alex Goldmark is our executive producer.Help support Planet Money and get bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from Summer School 8: Big ideas and life lessons from Marx, Keynes and Smith and more By www.npr.org Published On :: Wed, 28 Aug 2024 21:27:43 +0000 Take the 2024 Planet Money Summer School Quiz here to earn your personalized diploma!Find all the episodes from this season of Summer School here. And past seasons here. And follow along on TikTok here for video Summer School. We are assembled here on the lawn of Planet Money University for the greatest graduation in history – because it features the greatest economic minds in history. We'll hear from Adam Smith, Karl Marx, John Maynard Keynes, and some surprising guests as they teach us a little bit more economics, and offer a lot of life advice. But first, we have to wrap up our (somewhat) complete economic history of the world. We'll catch up on the last fifty years or so of human achievement and ask ourselves, has economics made life better for us all? This series is hosted by Robert Smith and produced by Audrey Dilling. Our project manager is Devin Mellor. This episode was edited by Planet Money Executive Producer Alex Goldmark and fact-checked by Sofia Shchukina. Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from EXTRA: The Kids From North Baghdad By www.npr.org Published On :: Tue, 19 Sep 2023 04:05:53 +0000 In celebration of our 20th Anniversary, StoryCorps will be revisiting some of our most memorable conversations from the past two decades. This week, we announce an upcoming special series with this short story from our Military Voices Initiative.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from 12 Feet From a Bomb By www.npr.org Published On :: Tue, 29 Oct 2024 07:00:00 +0000 On the morning of January 29th, 1998, a terrorist bombed the New Woman All Women Health Care Clinic in Birmingham, Alabama, killing a police officer and severely injuring a nurse. Both victims risked their own safety to show up for others—despite having different beliefs—and will forever be linked by the same act of political violence.Leave us a voicemail at 702-706-TALK, or email us at podcast@storycorps.org.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from Hear a live acoustic performance from The Lemon Twigs By www.npr.org Published On :: Thu, 22 Aug 2024 07:00:59 +0000 The music of Long Island duo Michael and Brian D'Addario is rooted in '70s rock and pop.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from Sense of Place: ATARASHII GAKKO! wants to awaken Tokyo from its doldrums By www.npr.org Published On :: Fri, 30 Aug 2024 07:00:59 +0000 Following a set at Coachella and a breakout hit, this energetic Japanese girl group has its sights set on world domination.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from WATCH: Pixies plays songs from their new album, 'The Night the Zombies Came' By www.npr.org Published On :: Thu, 24 Oct 2024 07:00:59 +0000 The alternative rock pioneers perform an exclusive set ahead of the release of their latest album.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from How 'Roxanne' changed Sting's life and more stories from his back catalog By www.npr.org Published On :: Fri, 08 Nov 2024 17:35:54 +0000 Find out which songs the English musician chose to perform for World Cafe's new feature called Backtracking.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from From Manoush: The Opportunity Of Boredom By www.npr.org Published On :: Wed, 18 Mar 2020 20:16:00 +0000 With many of us stuck at home right now, it's natural to feel bored and listless. But our new host Manoush Zomorodi is kind of an expert in boredom - she wrote a book and gave a TED Talk on the topic - and she says it doesn't have to be so bad. In 2018, Guy Raz interviewed Manoush for our episode "Attention Please." Listen to why we might actually need to feel bored in order to jump-start our creativity.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from Lessons From The Summer By www.npr.org Published On :: Fri, 21 Aug 2020 04:01:14 +0000 The summer of 2020 has been overwhelming for most of us. This hour, we hear from four guests—each from recent episodes—who sum up where we've been and offer the wisdom we need for the months ahead. Guests include political strategist Tom Rivett-Carnac, political philosopher Danielle Allen, anthropologist Heidi Larson, and writer and scholar Clint Smith.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
from An SOS From The Ocean By www.npr.org Published On :: Fri, 25 Jun 2021 04:01:46 +0000 For centuries, humans have relied on the oceans for resources and food... but even the deepest sea has its limits. This hour, TED speakers discuss how we can save our seas to save our planet. Guests include marine biologists Asha de Vos, Ayana Elizabeth Johnson, and Alasdair Harris, and oceanographer Sylvia Earle.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy Full Article
