Data Breaches

Open letter demands OWASP overhaul, warns of mass project exodus

For more than two decades, the Open Worldwide Application Security Project (OWASP) has provided free and open resources for improving the security of software. Led by the non-profit OWASP Foundation, OWASP has brought together community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and educational and training conferences for developers and technologists to secure the web. However, an open letter signed by dozens of OWASP members, contributors, and supporters questioned…

Read More

Municipal CISOs grapple with challenges as cyber threats soar

On February 10, the City of Oakland, California, announced it had been hit by a ransomware attack that knocked many of its systems offline. Four days later, Oakland declared a state of emergency as it grappled with the wide-ranging impact of the incident, which left city phone systems and multiple non-emergency services inoperable, including its 311 phone system. As of February 24, many city services were still down, including the 311 system, just as a…

Read More

Tracking device technology: A double-edged sword for CISOs

The transportation industry has doubled down in the area of fleet tracking in recent years, which has come with great benefits and not a few security headaches. On the consumer side, we’ve spoken of Apple’s AirTag and how it has been used to find personal items of import — and also its potential to be abused by the nefarious to track and trace individuals. Now we see that Google is jumping into the fray, with…

Read More

HPE to acquire Axis Security to deliver a unified SASE offering

Hewlett Packard Enterprise has agreed to buy cloud security services provider Axis Security, its third acquistion since January, to deliver a unified secure access service edge (SASE) offering. The acquisition is aimed at incorporating the Axis security service edge (SSE) platform into HPE’s edge-to-cloud network security capabilities with to deliver integrated networking and security solutions as-a-service. SSE is considered a subset of the broader SASE framework. “As we transition from a post-pandemic world, and a…

Read More

Iron Tiger updates malware to target Linux platform

Iron Tiger, an advanced persistent threat (APT) group, has updated their SysUpdate malware to include new features and add malware infection support for the Linux platform, according to a report by Trend Micro. The earliest sample of this version was observed in July 2022 and after finding multiple similar payloads in late October 2022, Trend Micro researchers started looking into it and found similarities with the SysUpdate malware family. Iron Tiger is a group of China-based…

Read More

IOTW: US Marshals Service suffers ransomware attack

The US Marshals Service (USMS), a federal law enforcement agency within the US Department of Justice (DoJ) has announced that it was the victim of a ransomware attack that compromised confidential information held by the agency.  The attack, which took place on February 17, saw “a ransomware and data exfiltration” attack launched against a “stand-alone USMS system”.  The system compromised in the attack held a number of sensitive documents, including “returns from legal process, administrative…

Read More

IBM partners up with Cohesity for better data defense in new storage suite

IBM and data security and backup provider Cohesity have formed a new partnership, calling for Cohesity’s data protection functionality to be incorporated into an upcoming IBM storage product suite, dubbed Storage Defender, for better protection of end-user organizations’ critical information. The capabilities of Cohesity’s DataProtect backup and recovery product will be one of four main feature sets in the Storage Defender program, according to an announcement from IBM Thursday. The Storage Defender suite is designed…

Read More

White House releases an ambitious National Cybersecurity Strategy

The White House released its long-anticipated National Cybersecurity Strategy, a comprehensive document that offers fundamental changes in how the US allocates “roles, responsibilities, and resources in cyberspace.” The strategy involved months of discussions among more than 20 government agencies and countless consultations with private sector organizations. It encompasses virtually all the weaknesses and challenges inherent in cybersecurity, from software vulnerabilities to internet infrastructure vulnerabilities to workforce shortages. Chief among the changes proposed in the strategy…

Read More

Gitpod flaw shows cloud-based development environments need security assessments

Researchers from cloud security firm Snyk recently discovered a vulnerability that would have allowed attackers to perform full account takeover and remote code execution (RCE) in Gitpod, a popular cloud development environment (CDE). Cloud-based development environments are popular because they’re easier to deploy and maintain than local ones and promise better security. However, organizations should properly assess security risks CDEs can introduce and are unique to their architectures, especially since they haven’t received much scrutiny from…

Read More

Software liability reform is liable to push us off a cliff

Like “SBOMs will solve everything,” there is a regular cry to reform software liability, specifically in the case of products with insecurities and vulnerabilities. US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly’s comments this week brought the topic back into focus, but it’s still a thorny issue. (There’s a reason certain things are called “wicked problems.”) The proposed remedy, taking up a full page of the Biden Administration’s National Cybersecurity Strategy, will cause…

Read More