#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Password Management | Breaking Cybersecurity News | The Hacker News

SaaS Compliance through the NIST Cybersecurity Framework

SaaS Compliance through the NIST Cybersecurity Framework
Feb 20, 2024 Cybersecurity Framework / SaaS Security
The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS a

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor
Feb 15, 2024 Malware / Cyber Espionage
The Russia-linked threat actor known as Turla has been observed using a new backdoor called  TinyTurla-NG  as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023. "TinyTurla-NG, just like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems," Cisco Talos  said  in a technical report published today. TinyTurla-NG is so named for exhibiting similarities with TinyTurla, another implant used by the adversarial collective in intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. TinyTurla was  first documented  by the cybersecurity company in September 2021. Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB

1Password Detects Suspicious Activity Following Okta Support Breach

1Password Detects Suspicious Activity Following Okta Support Breach
Oct 24, 2023 Cyber Attack / Password Management
Popular password management solution 1Password said it detected suspicious activity on its Okta instance on September 29 following the support system breach, but reiterated that no user data was accessed. "We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing," Pedro Canahuati, 1Password CTO,  said  in a Monday notice. The breach is said to have occurred using a session cookie after a member of the IT team shared a HAR file with Okta Support, with the threat actor performing the below set of actions - Attempted to access the IT team member's user dashboard, but was blocked by Okta Updated an existing IDP tied to our production Google environment Activated the IDP Requested a report of administrative users The company said it was alerted to the malicious activity after the IT team member received an email about the "requested" administrative user repor

Webinar: How to streamline security reviews with Trust Center

cyber security
websiteVantaCompliance / Security Audit
Learn how Vanta Trust Center can help provide real-time evidence for passing controls and automate responses to security questionnaires.

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks

Defending Your Commits From Known CVEs With GitGuardian SCA And Git Hooks
May 20, 2024Software Security / Vulnerability
All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make up between  70% and 90% of any given piece of modern software . Unfortunately for our security-minded developers, most modern vulnerabilities come from those software components.  As new vulnerabilities emerge and are publicly reported as  Common Vulnerabilities and Exposures  (CVEs), security teams have little choice but to ask the developer to refactor the code to include different versions of the dependencies. Nobody is happy in this situation, as it blocks new features and can be maddening to roll back component versions and hope that nothing breaks. Developers need a way to  quickly  determine if

Solving Your Teams Secure Collaboration Challenges

Solving Your Teams Secure Collaboration Challenges
May 12, 2023 Password Management
In today's interconnected world, where organisations regularly exchange sensitive information with customers, partners and employees, secure collaboration has become increasingly vital. However, collaboration can pose a security risk if not managed properly. To ensure that collaboration remains secure, organisations need to take steps to protect their data. Since collaborating is essential for almost any team to succeed, shouldn't you be able to do it securely? Whether you're sharing a Wi-Fi password, a social media account, or the passwords to a financial account, you deserve peace of mind. The risks of not protecting your sensitive data can be disastrous, from data breaches and reputational damage to legal ramifications and financial loss. But let's face it: Secure collaboration can be a real nightmare. Challenges of Secure Collaboration and Password Sharing It's another day in the office, and your team needs to share a ridiculous amount of sensitive informati

LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen

LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen
Dec 23, 2022 Password Management / Data Breach
The  August 2022 security breach  of LastPass may have been more severe than previously disclosed by the company. The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in. Among the data stolen are "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company  said . The August 2022 incident, which  remains  a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account. LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subseque

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager
Dec 22, 2022 Password Management
Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG  said  in a report published this week. "Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username." Passwordstate, developed by an Australian company named Click Studios, has over  29,000 customers  and is used by more than 370,000 IT professionals. One of the flaws also impacts  Passwordstate version 9.5.8.4  for the Chrome web browser. The latest version of the browser add-on

Google Adds Passkey Support to Chrome for Windows, macOS and Android

Google Adds Passkey Support to Chrome for Windows, macOS and Android
Dec 12, 2022 Password Management
Google has officially begun rolling out support for  passkeys , the next-generation passwordless login standard, to its stable version of Chrome web browser. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant's Ali Sarraf  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The improved security feature, which is available in version 108, comes nearly two months after Google  began testing the option  across Android, macOS, and Windows 11. Passkeys  obviate the need for passwords by requiring users to authenticate themselves during sign in by unlocking their nearby Android or iOS device using biometrics. This, however, calls for websites to build passkey support on their sites using the  WebAuthn API . Essentially, the technology works by creating a unique cryptographic key pair to associate with an account for the app or website d

LastPass Suffers Another Security Breach; Exposed Some Customers Information

LastPass Suffers Another Security Breach; Exposed Some Customers Information
Dec 01, 2022 Password Management
Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo," LastPass CEO Karim Toubba  said . GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm  announced  plans to spin off LastPass as an independent company. The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information." The August 2022 security event  targeted  its development environment, leading to the theft of some of its source code and technical information. In September, LastPass  revealed  the threat actor had access for four days. The scope of the breach

Hackers Breach LastPass Developer System to Steal Source Code

Hackers Breach LastPass Developer System to Steal Source Code
Aug 26, 2022
Password management service LastPass confirmed a security incident that resulted in the theft of certain source code and technical information. The security breach is said to have occurred two weeks ago, targeting its development environment. No customer data or encrypted passwords were accessed, although the company provided no further details regarding the hack and what source code was stolen. "An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," LastPass CEO Karim Toubba  said . Amidst ongoing investigation into the incident, the company said it has engaged the services of a leading cybersecurity and forensics firm and that it has implemented additional countermeasures. LastPass, however, didn't elaborate on the exact mitigation techniques that it used to strengthen its environment. It also reiterated that the
Expert Insights
Cybersecurity Resources