Data Breaches

Azure API Management flaws highlight server-side request forgery risks in API development

Microsoft recently patched three vulnerabilities in its Azure API Management service, two of which enabled server-side request forgery (SSRF) attacks that could have allowed hackers to access internal Azure assets. The proof-of-concept exploits serve to highlight common errors that developers could make when trying to implement blacklist-based restrictions for their own APIs and services. Web APIs have become an integral part of modern application development, especially in the cloud. They allow services to communicate and…

Read More

Orca integrates cloud app security platform with GPT-4

Agentless cloud security provider Orca Security has integrated Microsoft Azure OpenAI GPT-4 into its cloud-native application protection platform (CNAPP) under the ChatGPT implementation program that the cybersecurity company started earlier this year. “With our transition to Azure OpenAI, our customers benefit from the security, reliability, and enterprise level support that Microsoft provides,” said Avi Shua, chief innovation officer and co-founder of Orca Security.  “By integrating GPT-4 into Orca Security’s CNAPP platform, security practitioners can instantly…

Read More

Microsoft patches 3 vulnerabilities in Azure API Management

Microsoft has patched three new vulnerabilities in the Azure API Management service which includes two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload, according to cybersecurity firm Ermetic. The vulnerabilities were achieved through url formatting bypasses and an unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December and Microsoft patched them in January. The Azure API…

Read More

IOTW: Former Uber CSO charged with concealing data breach

Former Uber CSO, Joe Sullivan, has been sentenced to three years’ probation for his involvement in covering up a data breach in 2016 that affected 57 million Uber users. Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with his attempts to cover up the hack. US district judge William Orrick sentenced Sullivan on May 4 to three years’ probation and 200…

Read More

Google launches entry-level cybersecurity certificate to teach threat detection skills

Google has announced a new entry-level cybersecurity certificate to teach learners how to identify common risks, threats, and vulnerabilities, as well as the techniques to mitigate them. Designed and taught by Google’s cybersecurity experts, the Google Cybersecurity Certificate aims to prepare learners for entry-level jobs in cybersecurity in less than six months with no prior experience required, create greater opportunities for people around the world, and help fill the growing number of open cyber roles,…

Read More

The top 8 password attacks and how to defend against them

Did you know that the very first password attack happened in 1962? At that time, MIT’s CTSS (Compatible Time-Sharing System) was the first to utilize passwords for granting individual access. Allen Scherr, a Ph.D. researcher, wanted to use the CTSS beyond his allocated weekly hours. In order to extend his usage time, he decided to borrow passwords from other people. Scherr managed to obtain all the passwords stored in the CTSS system by submitting a…

Read More

The Merck appeal: cyber insurance and the definition of war

Pharmaceutical firm Merck recently won an appeal that could mean its insurers will have to pay up on a $1.4-billion judgment related to the NotPetya cyberattack in 2017. The New Jersey appellate division judges hearing the appeal judge noted that the plain definition of war applies to the various insurance policies and that a cyberattack against an accounting firm not engaged in hostilities, while criminal and based on ill-will, was not tantamount to an act…

Read More

Patch manager Action1 to add vulnerability discovery, prioritization

Cloud-native, patch-management application provider Action1 is set to add vulnerability discovery and prioritization capabilities to its namesake flagship platform to help businesses stay ahead of software exploits. The plan is part of a company strategy to expand beyond its traditional patch management features and add capabilities aimed at enhancing an organization’s resilience to cybersecurity threats. “The new features will enable customers to see beyond what is patchable into what is actually vulnerable,” said Mike Walters,…

Read More

IOTW: American Bar Association accused of data breach affecting 1.4 million peop…

In a class action lawsuit, the American Bar Association (ABA) has been accused of “grossly fail[ing] to comply with security standards” and causing a data breach that affected approximately 1.5 million people. The data breach, which occurred in March 2023, saw a malicious actor gain access to the ABA’s systems and steal the data of approximately 1.4 million members. The data stolen included personal information such as name, phone number, address and email address. The…

Read More

Hundreds of members of congress affected by data breach

DC Health Link, the provider of health insurance for those in the United States (US) Government, has suffered a data breach that affects over 50,000 people.  The breach, which took place on March 6, saw an unauthorized party gain access to the data of 56,415 current and past customers of DC Health Link, including 585 staff members and 17 members of the US Congress.  In a message sent to employees on March 8, the US…

Read More