Web application security

Google, Microsoft and Mozilla push browser updates to foil zero-day

A zero-day in Google’s Chrome browser was first reported by surveillance researchers at The Citizen Lab and Apple, but also affects other browsers Continue Reading

GitHub fixes race condition that could have led to ‘repojacking’

A subtle flaw in how GitHub handled repository creation and user renaming could have had serious consequences for the open source community, but has now been fixed. Learn more about how it worked Continue Reading

Storm-0324 gathers over Microsoft Teams

An initial access broker associated with several different ransomware operations is now conducting Microsoft Teams phishing attacks Continue Reading

Patch Tuesday: Microsoft fixes zero-days in Word and Streaming Service

September 2023 brings a light Patch Tuesday, with two zero-days and five critical vulnerabilities listed in the latest release Continue Reading

Salesforce and Zoom embrace ethical hackers. You should, too

Software companies Salesforce and Zoom discuss their successful bug bounty programmes, what they learned at a recent in-person hackathon in which they participated, and why others shouldn’t be scared of hackers Continue Reading

Apple patches Blastpass exploit abused by spyware makers

Apple has patched two vulnerabilities that formed an exploit chain which has been allegedly abused by spyware company NSO Continue Reading

UK minister fails to reassure tech companies over encryption risk

Technology companies say reassurances by government ministers that they have no intention of weakening end-to-end encrypted communication services do not go far enough Continue Reading

CW EMEA: The value of valuing people

In this month’s CW EMEA ezine, we look at HR software and strategies that can help combat staff attrition, find out how Finland’s and Sweden’s plans to join NATO have initiated activity in the Nordic cyber security sector already, consider the data privacy challenges associated with generative AI, and find out why it is important for companies to implement new cryptography standards now in preparation for quantum-safe communication. Read the issue now. Continue Reading

French supreme court dismisses legal challenge to EncroChat cryptophone evidence

Defence lawyers plan to appeal to the European Court of Human Rights after the French supreme court disallowed an appeal over the legality of EncroChat evidence Continue Reading

Researchers find flaw in Mend.io security platform

WithSecure’s research team uncovered an authentication flaw in an application security platform developed by Mend.io, which has now been fixed Continue Reading

How startup Once.net and Cloudflare secured the 2023 Eurovision vote

When the Eurovision Song Contest introduced paid-for public voting from outside Europe in 2023, it faced new cyber challenges. Learn how Dutch startup Once.net and Cloudflare teamed up to secure and support the big night Continue Reading

Threat actors exploiting unpatched Juniper Networks devices

A series of vulnerabilities in Juniper Networks firewalls and switches appear to be being exploited in the wild to enable remote code execution, with thousands of devices thought to be exposed Continue Reading

AI and supply chain visibility key to mitigating OT security threats

Leveraging AI and maintain visibility into the security of your software supply chain are key to mitigating cyber attacks against operational technology systems Continue Reading

Google bets on AI-backed cyber controls for Workspace users

Zero-trust and digital sovereignty controls are the focus of a series of enhancements being made for Google Workspace users Continue Reading

Researchers demo fake airplane mode exploit that tricks iPhone users

Exploit chain that tricks a victim into believing their iOS device is offline in airplane mode when it is not could open the door to grave privacy concerns Continue Reading

CyberArk eyes growth beyond PAM

CyberArk is seeing exponential growth in the broader identity security market as the company expands its capabilities beyond privileged access management Continue Reading

Google speeds up security update frequency for Chrome

Changes to Google’s security update policy are supposed to help close the gap in which cyber criminals can exploit n-day vulnerabilities Continue Reading

Microsoft addresses Office vulnerability attacked by Russian spooks in latest update

Microsoft has issued fixes for over 70 vulnerabilities in its August Patch Tuesday drop, including remedies for CVE-2023-36884, which was disclosed without a fix in July and has been the subject of Kremlin-backed cyber attacks Continue Reading

Many UK organisations considering ChatGPT bans on employee devices

More than 60% of organisations in the UK have either banned, or are considering banning, the use of generative AI tools on employee- or business-owned devices Continue Reading

Microsoft fixes Azure flaw that was subject of researcher criticism

Microsoft has confirmed a potentially-dangerous flaw in the Azure platform has now been fully fixed, and moved to reassure customers that despite criticism it is committed to responsible disclosure and timely fixes Continue Reading

Rise in fraudsters spoofing the websites of leading UK banks

Despite safeguards to protect customers from scams, UK retail banks are still seeing high volumes of fake phishing websites exploiting their brands, and the problem seems to be increasing in scope and scale Continue Reading

Log4Shell, ProxyShell still among most widely exploited flaws

Statistics released by the collective Five Eyes cyber agencies reveals insight into the most exploited vulnerabilities of 2022, and unsurprisingly there are some old ‘friends’ on the list Continue Reading

Biden’s SBOM mandate a ‘shot heard around the world’, report says

Two years and three months after Joe Biden mandated new standards in supply chain security, over 40% of UK respondents to a survey say they have implemented new SBOM policies in direct response Continue Reading

Cozy Bear hijacks SME Microsoft 365 tenants in latest campaign

Microsoft shares intelligence on a newly observed Cozy Bear campaign that saw the APT take over genuine Microsoft 365 tenants and subvert them to try to phish its victims Continue Reading

Microsoft attacked over ‘grossly irresponsible’ security practice

The CEO of Tenable has launched a scathing attack on Microsoft, asserting that the organisation is deliberately keeping its Azure cloud customers in the dark about dangerous vulnerabilities and accusing it of a culture of ‘toxic obfuscation’ Continue Reading

Singtel adds Zscaler SSE to managed security services portfolio

Singtel teams up with Zscaler to offer a managed security service edge service as it looks to ramp up its enterprise business Continue Reading

AI has a place in cyber, but needs effective evaluation

Organisations that don’t leverage AI-based security solutions will find themselves more vulnerable than those that do., but cyber pros still need to ensure they can effectively evaluate AI-enhanced tech to ensure it meets their use case Continue Reading

Ant Group teams with NTU to advance privacy-preserving technologies

The Chinese fintech giant is partnering with Singapore’s Nanyang Technological University on a cryptographic protocol that ensures the privacy of transacting parties Continue Reading

Future Cyber Threats: The four ‘horsemen of the apocalypse’

How to deal with emerging security threats from deep fake humans to the end of secure encryption  Continue Reading

Critical Adobe ColdFusion flaws chained in ongoing cyber attacks

Two vulnerabilities in Adobe ColdFusion have been chained by threat actors to target victim systems, apparently after one of them was accidentally disclosed Continue Reading

The essential role of PETs in unlocking the trillion dollar SaaS market

Ahead of the Eyes-Off Data Summit in Dublin, Jack Fitzsimons of Oblivious AI explains why so-called Privacy Enhancing Technologies or PETs may hold the key to unlocking the full potential of SaaS in the enterprise Continue Reading

One month after MOVEit: New vulnerabilities found as more victims are named

Five weeks after the mass MOVEit breach, new vulnerabilities in the file transfer tool are coming to light as the Clop cyber crime group continues to terrorise victims. But has the gang bitten off more than it can chew? Continue Reading

Hackers: We won’t let artificial intelligence get the better of us

AI is changing how ethical hackers go about their work, and will continue to do so, but the community is convinced the technology will never be able to replicate the creativity of a flesh-and-blood hacker Continue Reading

Microsoft users on high alert over dangerous RCE zero-day

A serious RCE vulnerability in Microsoft Office and Windows is among several zero-days disclosed in Redmond’s July Patch Tuesday update, but this one does not have a patch yet Continue Reading

Why we need to research the cybersecurity needs of Micro-Businesses?

Current government policy, from digital inclusion to cyber security is based on allegation, not evidence with regard to the five million microbusinesses and sole traders who account for 30% of the ... Continue Reading

How Maxeon is forging the path to SASE

Maxeon Solar Technologies is building out its security service edge capabilities with an eye on a SASE implementation that combines best of breed offerings from different suppliers Continue Reading

How Fastly thinks differently about CDNs and the edge

Fastly is counting on its developer chops and different approaches towards security and other areas to compete with its rivals Continue Reading

Early June Microsoft outages were result of large-scale DDoS hit

Investigations into recent outages on Microsoft Azure and Outlook services have turned up evidence of a massive distributed denial-of-service attack Continue Reading

No zero-days for June Patch Tuesday, but plenty to chew over

On the face of it, Microsoft’s monthly round of updates is a lighter-than-usual load for security teams, with no zero-days in evidence, but there are still plenty of issues needing attention Continue Reading

Cyber attacks against APAC commerce sector surpass 1.1 billion

Retailers, hotels and travel-related organisations in the region saw over a billion cyber attacks last year amid the surge in e-commerce activity and online travel bookings Continue Reading

Ofcom data stolen in MOVEit cyber attack

Communications regulator Ofcom says data on employees and regulated communications companies was stolen by the Clop gang Continue Reading

Progress Software releases patch for second MOVEit Transfer vulnerability

Progress Software releases a patch for a second MOVEit Transfer issue, which was uncovered by third-party security specialist Huntress Security during post-incident code scanning Continue Reading

Extreme Networks emerges as victim of Clop MOVEit attack

Network equipment and services supplier Extreme Networks has revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Clop cyber attack Continue Reading

Vulnerability exploitation volumes up over 50% in 2022

Data from Palo Alto Networks’ Unit 42 threat intel specialists reveals insight into the scale of vulnerability exploitation in the wild Continue Reading

Clop may have been sitting on MOVEit vulnerability for two years

The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years Continue Reading

Victims of MOVEit SQL injection zero-day mount up

The BBC, Boots, and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer, exploitation of which is spreading fast Continue Reading

Generative AI – the next biggest cyber security threat?

Following the launch of ChatGPT in November 2022, several reports have emerged that seek to determine the impact of generative AI in cyber security. Undeniably, generative AI in cyber security is a double-edged sword, but will the paradigm shift in favour of opportunity or risk? Continue Reading

Security Think Tank: A brief history of (secure) coding

From controlling who was allowed to work with IBM mainframes to present-day DevSecOps techniques, the concept of secure coding has a longer history than you might think Continue Reading

Can the UK cash in on chips?

In this week’s Computer Weekly, the UK government has committed £1bn to the semiconductor sector – but can it ever compete with the US and China? The potential of 5G networking could transform manufacturing – we examine the implications. And we talk to the global CIO at cloud storage provider Box about plans to incorporate AI and machine learning. Read the issue now. Continue Reading

Security Think Tank: Why “secure coding” is neither

Ensuring the security of code is just one element of a complex software lifecycle and risk management process that people need to think about more holistically, says Ed Moyle Continue Reading

How to secure your software supply chain

In this week’s Computer Weekly, our latest buyer’s guide looks at secure coding, and kicks off by examining the challenges of securing your software supply chain. Cyber law enforcement leaders are calling on firms to end the secrecy around ransomware attacks. And we find out how facial recognition technology is being adopted by retailers. Read the issue now. Continue Reading

Pentera ups ante in penetration testing

The Israeli startup, which expanded to the APAC region last year, scans for vulnerabilities and emulates cyber attacks through its automated security validation platform Continue Reading

Security Think Tank: To secure code effectively, verify at every step

Verification at every step is an important part of ensuring your code is secure, writes Petra Wenham Continue Reading

MS macro-blocking has forced cyber criminals to innovate

One year after Microsoft started blocking VBA and XL4 macros by default, the cyber criminal ecosystem has all but stopped exploiting macros in their attacks. They’re instead innovating at an unprecedented rate Continue Reading

What secure coding practices mean to modern cyber security

Joseph Foote of PA Consulting explores how we know the services we use most are protected, what we mean when we say 'secure coding practices', and what happens when secure coding practices are not followed? Continue Reading

Secure Boot vulnerability causes Patch Tuesday headache for admins

Applying the fix for a security bypass zero-day affecting the Windows Secure Boot feature will be a long process that will drag into 2024, but for good reason, says Microsoft Continue Reading

Google debuts passwordless login options for users

Launch of Google’s passkey service hailed as a great leap forward for passwordless technology Continue Reading

Cyber Action Plan for Wales launched

The devolved Welsh government has set out four priorities in an action plan designed to foster cyber resilience, talent and innovation across the country Continue Reading

TikTok fixes vulnerability that could have exposed user activity data

A potentially dangerous vulnerability in the TikTok video-sharing platform was discovered by Imperva researchers, and has now been fixed Continue Reading

Tenable opens playground for generative AI cyber tools

A set of generative AI cyber tools designed to help security researchers in reverse engineering, debugging and other areas of work have been made available for the community to experiment with Continue Reading

Could your employees’ use of ChatGPT put you in breach of GDPR?

Following Italy's run-in with OpenAI’s ChatGPT, legal expert Richard Forrest emphasises the necessity for additional scrutiny while using AI tools in a work environment, and practical guidance on doing so safely Continue Reading

Prototype cyber tech has revolutionary potential

The so-called CHERI protection model developed at the University of Cambridge is showing great promise for future cyber security technologies Continue Reading

Bumblebee malware flies on the wings of Zoom and ChatGPT

Bumblebee malware, often used as a stepping stone to ransomware, is now spreading via trojanised installers for popular software applications Continue Reading

3CX incident may be world’s first double supply chain attack

It’s supply chain attacks all the way down as Mandiant publishes information suggesting that the 3CX software supply chain compromise was initiated via a prior software supply chain compromise Continue Reading

Global finance firms take part in NATO cyber attack simulation

Global financial services organisations take part in NATO annual event which simulates cyber attacks on critical infrastructure Continue Reading

Securing your software supply chain

Organisations need to have a thorough understanding of software components and build security controls into development lifecycles to shore up the security of their software supply chains Continue Reading

Thousands at risk from critical RCE bug in legacy MS service

Thousands of organisations worldwide are at risk from three vulnerabilities – one critical – in a legacy Microsoft service that they may not be aware they are running Continue Reading

UK joins key allies to launch secure-by-design guidelines

The UK has joined international partners in sharing new advice to help technology companies embed security into the product design and development process Continue Reading

Italy to lift ChatGPT ban subject to new data protection controls

Italian regulator will lift its ban on OpenAI’s ChatGPT subject to a strict new data protection regime Continue Reading

April Patch Tuesday fixes zero-day used to deliver ransomware

A zero-day in the Microsoft Common Log File System that has been abused by the operator of the Nokoyawa ransomware is among 97 vulnerabilities fixed in April’s Patch Tuesday update Continue Reading

Okta integrates with Singapore’s national digital ID system

The integration with Singpass will let Okta customers authenticate consumers using Singapore’s national digital ID system and is expected to expand the company’s reach in regulated industries Continue Reading

OSC&R supply chain security framework goes live on Github

The OSC&R framework for understanding and evaluating threats to supply chain security has made its debut on Github to allow anybody to contribute to the framework Continue Reading

3CX unified comms users hit by supply chain attacks

Ongoing supply chain attacks against customers of UC firm 3CX appear to be linked to North Korean threat actors Continue Reading

Apple security updates fix 33 iPhone vulnerabilities

A larger-than-usual update to Apple’s mobile operating system fixes more than 30 distinct vulnerabilities, including two serious issues that may potentially affect device kernels Continue Reading

Europol warns cops to prep for malicious AI abuse

In a report looking at how large language models can be used by criminals, Europol’s Innovation Lab calls on law enforcement agencies to prepare themselves for wide-ranging impacts on their work Continue Reading

Is TikTok really a security threat to your business?

In this week’s Computer Weekly, with the UK government becoming the latest administration to ban TikTok, we ask whether the controversial social media app is really a security threat to enterprises. Technology guru Bruce Schneier tells us about the need to take back control of AI and the personal data it relies on. And we look at how firms are trying – and failing – to make AI work for online content moderation. Read the issue now. Continue Reading

France latest to ban TikTok on government devices

Following bans in the UK and US, France has moved to enact restrictions on TikTok, and other social media apps, on government devices Continue Reading

Nordics move towards common cyber defence strategy

Nordic countries agree to work together to improve their cyber defences amid increasing threat Continue Reading

How Mimecast thinks differently about email security

Mimecast CEO Peter Bauer believes the company’s comprehensive approach towards email security has enabled it to remain relevant to customers for two decades Continue Reading

UK TikTok ban gives us all cause to consider social media security

The UK government’s ban on TikTok should give all organisations cause to look into what information social media platforms are collecting on us, and what they are using it for Continue Reading

Microsoft patches Outlook zero-day for March Patch Tuesday

A highly dangerous privilege escalation bug in Outlook is among 80 different vulnerabilities patched in Microsoft’s March Patch Tuesday update Continue Reading

Nine in 10 enterprises fell victim to successful phishing in 2022

Egress annual email security risk report breaks down impacts of email-based phishing attacks and data loss, and the effect these can have on organisations in terms of staff retention and morale Continue Reading

Singapore organisations struggle to operationalise threat intelligence

Organisations in the city-state were satisfied with the quality of their threat intelligence, but they struggled to operationalise the information due to talent shortages and other challenges Continue Reading

How to tame the identity sprawl

Organisations should find a comprehensive way to gain full visibility into their digital identities and leverage automation to tame the identify sprawl Continue Reading

Microsoft fixes three zero-days in February update

February’s Patch Tuesday update contains fixes for three previously unpublicised zero-days in Microsoft Office, Windows Graphics Component and Windows Common Log File System Driver Continue Reading

OSC&R framework to stop supply chain attacks in the wild

The backers of a new MITRE ATT&CK style framework called OSC&R hope to help organisations get to grips with threats to their software supply chains Continue Reading

APAC buyer’s guide to SASE

In this buyer’s guide on secure access service edge services, we look at the benefits of the technology, key considerations and the market landscape Continue Reading

Online banks still riddled with cyber security flaws, report says

Online bank Virgin Money was found to have the weakest online and application security measures in a Which? study but Nationwide, TSB and The Co-Operative Bank all failed on multiple points, too. Continue Reading

LockBit gang confirms Ion cyber attack as disruption continues

The LockBit ransomware cartel has taken responsibility for this week’s attack on financial software firm Ion, and is threatening to leak stolen data on Saturday 4 February Continue Reading

GitHub warns Desktop, Atom users after code-signing certificates pinched

Threat actors stole encrypted code-signing certificates for GitHub’s Desktop and Atom applications in December 2022, prompting warnings for users Continue Reading

Zero-trust implementations remain work in progress

Just one in 10 large enterprises are expected to have mature and measurable zero-trust programmes in place by 2026, study finds Continue Reading

NCSC exposes Iranian, Russian spear-phishing campaign targeting UK

Spear-phishing campaigns likely linked to Iranian and Russian espionage activity are targeting persons of interest in the UK, warns the NCSC Continue Reading

SSRF attacks hit 100,000 businesses globally since November

There has been a dramatic increase in attacks exploiting the ProxyNotShell/OWASSRF exploit chains to target Microsoft Exchange servers Continue Reading

Trellix automates patching for 62,000 vulnerable open source projects

Since revealing startling statistics about the prevalence of a 15-year-old Python vulnerability, Trellix says it has helped fix almost 62,000 vulnerable projects in the past four months Continue Reading

Mailchimp suffers third breach in 12 months

Email marketing service Mailchimp has suffered its third data breach in a year, but has been praised for being open about its latest attack Continue Reading

Chrome vulnerability could have led to widespread data theft

A dangerous vulnerability in Google Chrome and Chromium-based browsers could have put billions of users’ files at risk of being stolen Continue Reading

Europe’s cyber security strategy must be clear about open source

Europe’s cyber security policy on open source is lagging behind the US, and despite growing government awareness of the issues, that poses a problem Continue Reading

Should we be worried about malicious use of AI language models?

WithSecure research into GPT-3 language models, used by the likes of ChatGPT, surfaces concerning findings about how easy it is to use large language models for malicious purposes. Should security teams be concerned? Continue Reading

Microsoft fixes EoP zero-day on January Patch Tuesday

On the first Patch Tuesday of 2023, Microsoft fixed an elevation of privilege vulnerability in Windows Advanced Local Procedure Call, which has been actively exploited in the wild and may be co-opted into ransomware campaigns Continue Reading

Cyber gang abused free trials to exploit public cloud CPU resources

A South Africa-based cyber crime gang exploited free trials and introductory offers to run cryptominers via public cloud services, then did a runner without paying Continue Reading