February 2024
Can I Really Live Off The Interest of My $1 Million Portfolio?
Reports: Thunder finalizing trade to acquire Gordon Hayward from Hornets
The Thunder are adding the veteran wing for their push for the No. 1 seed in the West.
Dave Ramsey Tells 29-Year-Old With $1 Million In Debt He’s Going To Destroy Her Life As She Knows It – ‘Your Friends Are Going To Think You’ve Lost Your Mind And Your Mother Is Going To Think You Need Counseling’
Here’s the Average Age Americans Claim Social Security and the Monthly Benefit They Receive
Qolsys IQ Panel 4, IQ4 HUB
1. EXECUTIVE SUMMARY
- CVSS v3 7.3
- ATTENTION: Low attack complexity
- Vendor: Qolsys, Inc.
- Equipment: IQ Panel 4, IQ4 Hub
- Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products from Qolsys, Inc, a subsidiary of Johnson Controls, are affected:
- Qolsys IQ Panel 4: Versions prior to 4.4.2
- Qolsys IQ4 Hub: Versions prior to 4.4.2
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings.
CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER
Cody Jung reported this vulnerability to Johnson Controls, Inc.
4. MITIGATIONS
Johnson Controls has provided the following recommendations for its subsidiary company, Qolsys, Inc, to help reduce the risk of the vulnerability:
- Upgrade IQ Panel 4, IQ4 Hub to version 4.4.2.
- The firmware can be updated remotely to all available devices in the field.
- The firmware update can also be manually loaded by applying the patch tag “iqpanel4.4.2” on the device after navigating to its firmware update page.
- For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-03.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- February 8, 2024: Initial Publication
HID Global Reader Configuration Cards
1. EXECUTIVE SUMMARY
- CVSS v3 5.3
- ATTENTION: Low attack complexity
- Vendor: HID Global
- Equipment: Reader Configuration Cards
- Vulnerability: Improper Authorization
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read the credential and device administration keys from a configuration card. Those keys could be used to create malicious configuration cards or credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following HID products are affected:
- HID iCLASS SE reader configuration cards: All versions
- OMNIKEY Secure Elements reader configuration cards: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHORIZATION CWE-285
Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys.
CVE-2024-23806 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
HID Global reported this vulnerability to CISA.
4. MITIGATIONS
HID Global recommends the following mitigations to reduce the risk:
-
Elite Key and Custom Key customers that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards. To exploit this vulnerability, a reader must be physically close to or in possession of the configuration cards to communicate with the card and extract information.
-
Administrators should plan to securely destroy unneeded configuration cards.
-
Customers using the HID standard key, and other customers who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information at https://www.hidglobal.com/support.
HID has also provided additional steps users can take steps to harden their readers to prevent malicious configuration changes.
iCLASS SE Readers
- iCLASS SE Readers using firmware version 8.6.0.4 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from Configuration Cards.
If you need assistance, or if the reader firmware has not been updated to 8.6.0.4 or higher, contact HID Technical Support.
HID OMNIKEY Readers, OMNIKEY Secure Elements, iCLASS SE Reader Modules, iCLASS SE Processors
- Contact HID to receive a “Shield Card” that will prevent further configuration changes using reader configuration cards.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- February 6, 2024: Initial Publication
MLB team owners ‘increasingly supportive’ of allowing stars to participate in 2028 LA Olympics, per report
MLB fans could see their favorite sport return to the Olympics in 2028.
Today’s Wordle Hints (and Answer) for Thursday, February 8, 2024
If you’re looking for the Wordle answer for February 8, 2024 read on. We’ll share some clues, tips, and strategies, and finally the solution. Today’s puzzle is on the easier side; I got it in three. Beware, there are spoilers below for February 8, Wordle #964! Keep scrolling if you want some hints (and then the answer) to today’s Wordle game.
How to play Wordle
Wordle lives here on the New York Times website. A new puzzle goes live every day at midnight, your local time.
Start by guessing a five-letter word. The letters of the word will turn green if they’re correct, yellow if you have the right letter in the wrong place, or gray if the letter isn’t in the day’s secret word at all. For more, check out our guide to playing Wordle here, and my strategy guide here for more advanced tips. (We also have more information at the bottom of this post, after the hints and answers.)
Ready for the hints? Let’s go!
Does today’s Wordle have any unusual letters?
We’ll define common letters as those that appear in the old typesetters’ phrase ETAOIN SHRDLU. (Memorize this! Pronounce it “Edwin Shirdloo,” like a name, and pretend he’s a friend of yours.)
We’ve got three common letters in our mnemonic today, and there are two letters that aren’t but are also fairly common. No unusual letters today.
Can you give me a hint for today’s Wordle?
Not a person or a thing.
Does today’s Wordle have any double or repeated letters?
No repeated letters today.
How many vowels are in today’s Wordle?
Two vowels today.
What letter does today’s Wordle start with?
Today’s word starts with P.
What letter does today’s Wordle end with?
Today’s word ends with E
What is the solution to today’s Wordle?
Ready? Today’s word is PLACE.
How I solved today’s Wordle
After ARISE and TOUCH, I guessed that A belonged in the middle, which left me only with the first two letters to figure out. I went for other relatively common letters that worked in combo, which led me to PLACE.
Wordle 964 3/6 🟨⬛⬛⬛🟩 ⬛⬛⬛🟩⬛ 🟩🟩🟩🟩🟩
A primer on Wordle basics
The idea of Wordle is to guess the day’s secret word. When you first open the Wordle game, you’ll see an empty grid of letters. It’s up to you to make the first move: type in any five-letter word.
Now, you can use the colors that are revealed to get clues about the word:
-
Green means you correctly guessed a letter, and it’s in the correct position. (For example, if you guess PARTY, and the word is actually PURSE, the P and R will be green.)
-
Yellow means the letter is somewhere in the word, but not in the position you guessed it. (For example, if you guessed PARTY, but the word is actually ROAST, the R, A and T will all be yellow.)
-
Gray means the letter is not in the solution word at all. (If you guessed PARTY and everything is gray, then the solution cannot be PURSE or ROAST.)
With all that in mind, guess another word, and then another, trying to land on the correct word before you run out of chances. You get six guesses, and then it’s game over.
The best starter words for Wordle
What should you play for that first guess? The best starters tend to contain common letters, to increase the chances of getting yellow and green squares to guide your guessing. (And if you get all grays when guessing common letters, that’s still excellent information to help you rule out possibilities.) There isn’t a single “best” starting word, but the New York Times’s Wordle analysis bot has suggested starting with one of these:
-
CRANE
-
TRACE
-
SLANT
-
CRATE
-
CARTE
Meanwhile, an MIT analysis found that you’ll eliminate the most possibilities in the first round by starting with one of these:
-
SALET
-
REAST
-
TRACE
-
CRATE
-
SLATE
Other good picks might be ARISE or ROUND. Words like ADIEU and AUDIO get more vowels in play, but you could argue that it’s better to start with an emphasis on consonants, using a starter like RENTS or CLAMP. Choose your strategy, and see how it plays out.
How to win at Wordle
We have a few guides to Wordle strategy, which you might like to read over if you’re a serious student of the game. This one covers how to use consonants to your advantage, while this one focuses on a strategy that uses the most common letters. In this advanced guide, we detail a three-pronged approach for fishing for hints while maximizing your chances of winning quickly.
The biggest thing that separates Wordle winners from Wordle losers is that winners use their guesses to gather information about what letters are in the word. If you know that the word must end in -OUND, don’t waste four guesses on MOUND, ROUND, SOUND, and HOUND; combine those consonants and guess MARSH. If the H lights up in yellow, you know the solution.
One more note on strategy: the original Wordle used a list of about 2,300 solution words, but after the game was bought by the NYT, the game now has an editor who hand-picks the solutions. Sometimes they are slightly tricky words that wouldn’t have made the original list, and sometimes they are topical. For example, FEAST was the solution one Thanksgiving. So keep in mind that there may be a theme.
Wordle alternatives
If you can’t get enough of five-letter guessing games and their kin, the best Wordle alternatives, ranked by difficulty, include:
-
Dordle and Quordle, which ask you to play two (Dordle) or four (Quordle) puzzles at the same time, with the same guesses. There is also Octordle, with eight puzzles, and Sedecordle, with 16.
-
Waffle, which shows you several five-letter words, scrambled in a grid; you play by swapping the letters around until you solve.
-
Absurdle, which changes the solution after each guess, but needs to stay consistent with its previous feedback. You have to strategically back it into a corner until there is only one possible word left; then you guess it, and win.
-
Squabble, in which you play Wordle against other people with a timer running. You take damage if you spend too much time between guesses; winner is the last one standing.
Antiwordle, in which you are trying not to guess the day’s solution. You’re required to reuse any letters that you (oops) guessed correctly, so the longer it takes you, the better you are at the game.w
Celebrating MLB’s Black Aces: How Vida Blue’s 24 wins in 1971 helped bring success back to the Oakland A’s
Vida Blue is one of the 15 members of the exclusive baseball fraternity known as the Black Aces.