Legit Security software compliance attestation trust center Legit Security introduced a software compliance attestation trust center, which by using frameworks such as SLSA, PCI DSS, SOC2, and ISO 27001, helps teams quickly assess the state of a software security program to identify gaps that create risk. The trust center also supports new CISA requirements. It…
Read MoreMay 02, 2024NewsroomVulnerability / Data Breach The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild. Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to…
Read MorePrinciples and objectives driving the NSM The NSM cites eight core principles that drive the NSM. First among these is a sense of shared responsibility by government entities and the owners of critical to come together in a “national unity of effort.” Related to this united effort is the principle that government regulatory and oversight…
Read MoreMay 02, 2024NewsroomCyber Espionage / Network Security A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. “This malware is modular, designed primarily to steal authentication material found in web…
Read MoreThe UK Government takes aim at IoT devices shipping with weak or default passwords, an identity thief spends two years in jail after being mistaken for the person who stole his name, and are you au fait with the latest scams? All this and much more is discussed in the latest edition of the “Smashing…
Read MoreCloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information. DropBox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures. The company says they detected unauthorized access to…
Read MoreHPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE). Products impacted by…
Read MoreGoogle’s new round of layoffs hit developers and engineers working inside Google’s Core business unit. Here’s what you need to know. Just one week after reporting $80.5 billion in sales and $23.7 billion in net income during its first quarter 2024, Google is laying off hundreds of employees—including many in its ‘Core’ team roles—while moving…
Read MoreSynthetic Content Risks Today’s first-generation AI systems are capable of maliciously synthesizing images, sound, and video well enough for it to be indistinguishable from genuine content. The guide “Reducing Risks Posed by Synthetic Content” (NIST AI 100-4) examines how developers can authenticate, label, and track the provenance of content using technologies such as watermarking. A…
Read MoreThe US government is warning that pro-Russian hacktivists are seeking out and hacking into unsecured operational technology (OT) systems used to disrupt critical infrastructure operations. The joint advisory comes from six US govt agencies, including CISA, FBI, NSA, EPA, DOE, USDA, and FDA, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), Canada’s Centre for…
Read More