Coros Apex 4 smartwatch <!–> ZDNET’s key takeaways The Coros Apex 4 is available now in 42mm and 46mm sizes, for $429 and $479, respectively. Its long battery life continues to be a Coros foundational element, and the speaker/microphone support hands-free calls and voice notes. The watch sports a lower resolution display, has a minimal […] More

Artie Beaty/ZDNETIn 2021 and 2023, Cash App suffered two different data breaches — one in which a former employee downloaded user transaction reports, and another in which an unauthorized person accessed user account data.A new class action lawsuit alleges that Cash App was negligent in handling these breaches and didn’t properly address customer concerns. Now, the company is paying a settlement to affected users — if you suffered a financial loss, you might be eligible.The exact amount each user receives will depend on how many users file a claim and how much the lawyers take. However, the settlement site says you can submit a claim for up to $2,500 to reimburse losses.Also: I tested the best Mint alternatives, and this is my preferred money appMany class action members, though, lost much more than that. According to one woman’s legal complaint, she lost $40,000 and spent hundreds of hours recovering from the breach. Other users complained about thieves taking money to buy Bitcoin, Google marketplace gift cards, items on the Roblox marketplace, stocks, and more. Some class members had funds taken all at once, while some had it taken over time on as many as 75 different occasions. What kind of losses can users recover?If the Cash App security breach caused you to pay for credit monitoring, request a credit report, cancel or replace a payment card, close a bank account and open a new one, or incur an overdraft or late payment fee, you can potentially have that amount reimbursed. You will need third-party documentation to prove these amounts, and you can also account for up to three hours of lost time at $25 an hour. More

CISA released its own Log4J scanner this week alongside a host of other scanners published by cybersecurity companies and researchers. 

more Log4j

The open-sourced Log4j scanner is derived from scanners created by other members of the open source community, and it is designed to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities. CISA said it modified a Log4J scanner created by security company FullHunt and got help from other researchers like Philipp Klaus and Moritz Bechler. The repository provides a scanning solution for CVE-2021-44228 and CVE-2021-45046. CISA said it supports DNS callback for vulnerability discovery and validation while providing fuzzing for HTTP POST Data parameters, fuzzing for JSON data parameters, and support for lists of URLs. It also features WAF Bypass payloads and fuzzing for more than 60 HTTP request headers.CrowdStrike similarly released its own free Log4J scanner called the CrowdStrike Archive Scan Tool, or “CAST.” Yotam Perkal, vulnerability research lead at Rezilion, did a test of some of the Log4J scanners, finding that many were unable to find all instances of the vulnerability. 
Rezilion

“The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won’t find it,” Perkal said. “Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages.”Rezilion tested the nine scanners most commonly used by developers and IT teams against a dataset of packaged Java files where Log4j was nested and packaged in various formats.Perkal said that while some scanners did better than others, none were able to detect all formats. According to Perkal, the research illustrates “the limitations of static scanning in detecting Log4j instances.””It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots,” Perkal explained. “Security leaders cannot blindly assume that various open source or even commercial-grade tools will be able to detect every edge case. And in the case of Log4j, there are a lot of edge instances in many places.” More

One of the main entities involved in the Brazilian government’s plan to fight the coronavirus outbreak, food an drug regulator Anvisa, has banned the use of video conferencing platform Zoom. In a memo sent to staff on Monday (6), the regulator, which is responsible for the regulation and approval of pharmaceutical drugs, sanitary standards and […] More

Garmin Venu X1 <!–> ZDNET’s key takeaways The Garmin Venu X1 is available in two color options for $599 (on sale). The big 2-inch display is fantastic, the LED flashlight is brilliant, the thin case and light band make it a joy to wear, and the calculator now has a tip button. The always-on mode […] More