News

Web application security

• October 31, 2022 31 Oct'22

  Prepare today for potentially high-impact OpenSSL bug

  OpenSSL trailed a critical vulnerability patch last week, which will be only the second such flaw ever found in the open source encryption project. Unfortunately, the first was Heartbleed

• October 27, 2022 27 Oct'22

  LinkedIn adds new features to safeguard user privacy, security

  Social media platform is adding a number of features and systems designed to protect legitimate users from inauthentic profiles and activity

• October 18, 2022 18 Oct'22

  Apache vulnerability a risk, but not as widespread as Log4Shell

  A newly disclosed Apache Commons Text vulnerability may put many at risk, but does not appear to be as impactful or widespread as Log4Shell

• October 18, 2022 18 Oct'22

  Virtually all vulnerable open source downloads are avoidable

  Some 96% of known vulnerable open source downloads could have been avoided altogether, according to a report

• October 14, 2022 14 Oct'22

  Malicious WhatsApp add-on highlights risks of third-party mods

  Kaspersky researchers discovered a malicious version of a widely used WhatsApp messenger mod, highlighting the risks of using so-called mods

• October 14, 2022 14 Oct'22

  Office 365 email encryption flaw could pose risk to user privacy

  A vulnerability in Microsoft Office 365 Message Encryption could leave the contents of emails dangerously exposed, but with no fix coming it’s up to users to decide how at risk they are

• October 13, 2022 13 Oct'22

  Gartner: Remote work, zero trust, cloud still driving cyber spend

  Security leaders are eager to spend on categories including remote and hybrid cyber offerings, zero-trust network access, and cloud

• October 12, 2022 12 Oct'22

  Microsoft fixes lone zero-day on October Patch Tuesday

  Microsoft patched a solitary zero-day vulnerability in its latest monthly drop, but fixes for two others disclosed in the past few weeks are nowhere to be seen

• October 11, 2022 11 Oct'22

  Contractor left Toyota source code exposed for five years

  Source code related to Toyota’s T-Connect service was left exposed on GitHub for over five years by a contractor

• October 10, 2022 10 Oct'22

  How Cloudflare is staying ahead of the curve

  Cloudflare co-founder and CEO Matthew Prince talks up what has changed since the company’s first business plan was written in 2009 and how it keeps pace with the fast-moving network security landscape

• September 29, 2022 29 Sep'22

  Failure of Russia’s cyber attacks on Ukraine is most important lesson for NCSC

  Russia has so far failed in its attempts to destabilise Ukraine through cyber attacks due to strength of Ukrainian, security industry and international efforts

• September 28, 2022 28 Sep'22

  Most hackers exfiltrate data within five hours of gaining access

  Insights from more than 300 sanctioned adversaries, otherwise known as ‘ethical’ hackers, reveal that around two-thirds are able to collect and exfiltrate data within just five hours of gaining access

• September 26, 2022 26 Sep'22

  How Russian intelligence hacked the encrypted emails of former MI6 boss Richard Dearlove

  Hack by Russian-linked ColdRiver group exposed former MI6 chief Richard Dearlove’s contacts and email communications with government, military, intelligence and political officials

• September 26, 2022 26 Sep'22

  More than 30 startups to join Plexal’s Cyber Runway accelerator

  Now in its second year, the Cyber Runway accelerator has been designed to support firms at various stages of growth, as well as help the cyber security sector to improve on its diversity, inclusion and regional representation

• September 22, 2022 22 Sep'22

  Nordic private equity firms pursue cyber security acquisitions

  Increasing interest in the security sector from Nordic private equity firms is a reflection of growing threats and increasing enterprise security budgets

• September 21, 2022 21 Sep'22

  15-year-old Python bug present in 350,000 open source projects

  A Python tarfile vulnerability first disclosed in 2007 still persists to this day, according to analysis from Trellix

• September 16, 2022 16 Sep'22

  Uber suffers major cyber attack

  Details are trickling out of an apparent ‘near total’ compromise of ride-sharing service Uber by an alleged teenage hacktivist

• September 14, 2022 14 Sep'22

  Microsoft patches 64 vulnerabilities on September Patch Tuesday

  Microsoft drops fixes for five critical vulnerabilities and one zero-day in its latest monthly update

• September 13, 2022 13 Sep'22

  Cloud compromise a doddle for threat actors as victims attest

  Two separate studies into the state of public cloud security reveal insight into the ease with which threat actors can compromise vast numbers of targets, and some of the challenges security teams are facing in the cloud

• September 13, 2022 13 Sep'22

  Users warned over Azure Active Directory authentication flaw

  Secureworks researchers found what they say is a serious vulnerability in an Azure Active Directory authentication method, but Microsoft says it should not pose a serious risk to users

• September 12, 2022 12 Sep'22

  CISOs should spend on critical apps, cloud, zero-trust, in 2023

  Faced with a global recession next year, security buyers should try to direct investment towards technology that protects customer-facing and revenue-generating workloads, say analysts

• September 08, 2022 08 Sep'22

  Dutch cyber security organisations to join forces

  Cyber security organisations in the Netherlands are going to merge into a single central expertise centre and information hub, which all organisations in the country will soon be able to tap into

• September 07, 2022 07 Sep'22

  August ’22 a bumper month for high-impact vulnerabilities

  Bugs in products from Apple, Google, Microsoft and VMware dominated the threat landscape in August, says Recorded Future

• September 07, 2022 07 Sep'22

  Prince’s Trust teams with threat management specialist in skills push

  Prince’s Trust hopes to address shortfall in cyber professionals and improve diversity in the industry

• August 31, 2022 31 Aug'22

  Google debuts open source bug bounty programme

  Google is calling on hackers to take pot-shots at its open source projects for the first time through a new vulnerability research programme

• August 30, 2022 30 Aug'22

  LastPass breach limited in scale and well-managed, say experts

  A breach of LastPass’s developer environment does not seem to have affected users of the password management service, but it may still be time for a credential reset

• August 25, 2022 25 Aug'22

  Millions of Plex users may be at risk in password breach

  Up to half of Plex’s 30 million users may have had their personal data stolen by an unknown threat actor

• August 23, 2022 23 Aug'22

  DevSecOps: Software developers lack sufficient security focus

  GitLab survey shows developers want to produce high-quality code, but ‘shifting’ security left is hard to achieve

• August 19, 2022 19 Aug'22

  Cozy Bear targets MS 365 environments with new tactics

  Cozy Bear, or APT29, is trying out new tricks as it seeks access to its targets’ Microsoft 365 environments

• August 19, 2022 19 Aug'22

  Apple patches two zero-days in macOs, iOS

  Mac users should urgently apply new patches addressing vulnerabilities in its desktop and mobile operating systems

• August 18, 2022 18 Aug'22

  Growing MFA use spurs ‘pass-the-cookie’ attacks

  The exploitation of stolen session cookies by cyber criminals is once again back on the agenda, thanks to the growing popularity of multifactor authentication tools

• August 12, 2022 12 Aug'22

  Microsoft doles out $13.7m in bug bounties

  Microsoft’s Bug Bounty programme has paid a total of $13.7m to more than 300 researchers in almost 50 countries

• August 11, 2022 11 Aug'22

  NHS may take a month to recover from supply chain attack

  Ransomware attack victim Advanced warns its NHS customers they could be waiting until early September to fully recover their operations

• August 10, 2022 10 Aug'22

  GitHub targets vulnerable open source components

  There are thousands of vulnerabilities in open source code – GitHub aims to help developers see if their projects are impacted

• August 10, 2022 10 Aug'22

  Microsoft fixes two-year-old MSDT vulnerability in August update

  August’s Patch Tuesday drop fixes more than 120 CVEs, including another MSDT RCE zero-day that is being actively exploited.

• August 04, 2022 04 Aug'22

  Spyware activity particularly impactful in July

  After a quiet June, vulnerability exploitation ramped up in July, with intrusions linked to spyware seeing unusually high volumes of activity, according to a report

• July 28, 2022 28 Jul'22

  NCSC startups scheme turns focus to operational technology, SME security

  NCSC for Startups initiative turns its focus to supporting innovation around securing operational technology and addressing the challenges facing small businesses

• July 28, 2022 28 Jul'22

  Cyber criminals pivot away from macros as Microsoft changes bite

  As Microsoft resumes blocking macros by default in its Office application suite, reversing a temporary reversal, analysis from Proofpoint suggests the action has had a remarkable effect

• July 27, 2022 27 Jul'22

  Retail software firm PrestaShop warns users about SQL injection attacks

  Open source e-commerce platform PrestaShop warns thousands of small retailers that their customers’ credit card details may be at risk of compromise

• July 26, 2022 26 Jul'22

  Ducktail infostealer targets Facebook Business users

  Newly uncovered Ducktail operation targets individuals with access to Facebook Business service and tries to steal their accounts

• July 25, 2022 25 Jul'22

  Latest Atlassian Confluence vulnerability raises concerns

  CVE-2022-26138 is the second major vulnerability disclosure made for Atlassian’s Confluence collaboration platform in recent months

• July 22, 2022 22 Jul'22

  LinkedIn most impersonated brand in phishing attacks

  Social network LinkedIn, along with Microsoft and DHL, are just some of the brands that are most frequently imitated by cyber criminals conducting phishing attacks

• July 21, 2022 21 Jul'22

  Buy ‘plug-n-play’ malware for the price of a pint of beer

  Three-quarters of malwares and almost 90% of exploits retail on the dark web for about £8.40 or less, according to a report

• July 20, 2022 20 Jul'22

  (ISC)² expands entry-level cyber programme after UK success

  Flush with success from a UK certification programme, reaching 100k in the UK, (ISC)² now wants to provide free security certification to a million people worldwide

• July 20, 2022 20 Jul'22

  Cato aims to bust cyber myths as it extends network protections

  Cato Networks is beefing up its platform’s security features with ransomware and data loss protections, and the firm’s security strategy lead Etay Maor is using the occasion – and his unique access to billions of data points from the firm’s network ...

• July 15, 2022 15 Jul'22

  Log4Shell on its way to becoming ‘endemic’

  US government report concludes that, like Covid, Log4Shell will be with us for a long time to come

• July 13, 2022 13 Jul'22

  Slippery phish wriggles around MFA protections, says Microsoft

  Microsoft’s threat researchers share details of a phishing campaign that hit 10,000 organisations, against which standard multifactor authentication provides little defence

• July 13, 2022 13 Jul'22

  Digital break-up kit to help women get out of bad relationships safely

  Domestic abuse charity Refuge teams up with Avast to equip women with the knowledge to effectively and safely end a relationship digitally

• July 13, 2022 13 Jul'22

  July Patch Tuesday brings more than 80 fixes, one zero-day

  While some admins can put their feet up and let Windows Autopatch do the hard work of updating their Microsoft estates, for the rest of us, the Patch Tuesday bandwagon keeps on keeping on

• July 12, 2022 12 Jul'22

  Microsoft Windows Autopatch now generally available

  Microsoft customers with Windows Enterprise E3 and E5 licences can now take full advantage of its new automated patching service