Search results for Security | Breaking Cybersecurity News | The Hacker News

More than a decade ago, the concept of the  'blameless'  postmortem changed how tech companies recognize failures at scale. John Allspaw, who coined the term during his tenure at Etsy, argued postmortems were all about controlling our natural reaction to an incident, which is to point fingers: "One option is to assume the single cause is incompetence and scream at engineers to make them 'pay attention!' or 'be more careful!' Another option is to take a hard look at how the accident actually happened, treat the engineers involved with respect, and learn from the event." What can we, in turn, learn from some of the most honest and blameless—and public—postmortems of the last few years? GitLab: 300GB of user data gone in seconds What happened : Back in 2017, GitLab experienced a painful 18-hour outage. That story, and GitLab's subsequent honesty and transparency, has significantly impacted how organizations handle data security today. The incident began when GitLab's secondary datab

Today I discuss an attack vector conducive to cross-organizational spread, in-home local propagation. Though often overlooked, this vector is especially relevant today, as many corporate employees remain working from home. In this post, I contrast in-home local propagation with traditional vectors through which a threat (ransomware in particular) spreads throughout an organization. I discuss the reasons this type of spread is problematic for employees and corporations alike. Finally, I offer simple solutions to mitigate the risk of such tactics.  Why Should IT and Security Stakeholders Care? Today's long cycle attacks are often reconnoitering the victim environment for weeks, if not months. In this time, the attacker gains a tremendous amount of knowledge about systems in the victim's footprint. This additional loiter time in the victim's environment, coupled with ad-hoc maintained work-from-home environments, presents both an  ingress avenue  for attacks into their net

As part of  Checkmarx's mission  to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users to

Permissions in SaaS platforms like Salesforce, Workday, and Microsoft 365 are remarkably precise. They spell out exactly which users have access to which data sets. The terminology differs between apps, but each user's base permission is determined by their role, while additional permissions may be granted based on tasks or projects they are involved with. Layered on top of that are custom permissions required by an individual user.  For example, look at a sales rep who is involved in a tiger team investigating churn while also training two new employees. The sales rep's role would grant her one set of permissions to access prospect data, while the tiger team project would grant access to existing customer data. Meanwhile, special permissions are set up, providing the sales rep with visibility into the accounts of the two new employees. While these permissions are precise, however, they are also very complex. Application admins don't have a single screen within these applications th

We found a high concern for cybersecurity tactics and an increased awareness of the challenges that it brings. This week, we shared lots of stories with our readers, and to help them in identifying the biggest malware threats to their online safety. We are here with the outline of our last week stories, just in case you missed any of them ( ICYMI ). We recommend you read the entire thing ( just click ' Read More ' because there's some valuable advice in there as well ). Here's the list: ➢ How Hackers Can Hack Your Gmail Accounts? Getting smarter in their phishing tactics, hackers have found out ways to fool Gmail's tight security system by bypassing its two-step verification. Hackers are now using text messages and phone-based phishing attacks to circumvent Gmail's security and take over your Gmail accounts. — Read more . ➢ Not Just Windows 10, Windows 7 and 8 Also Spy on You Laughing at controversial data mining and privacy invasion featur

When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

There are three things you can be sure of in life: death, taxes – and new CVEs. For organizations that rely on CentOS 8, the inevitable has now happened, and it didn't take long. Just two weeks after reaching the official end of life, something broke spectacularly, leaving  CentOS 8  users at major risk of a severe attack – and with no support from CentOS. You'd think that this issue no longer affects a significant number of organizations because by now, companies would have migrated away from CentOS 8 to an OS that is actively supported by vendors. After all, vendor support is critical for security and compliance. But as it always is with these things, you can count on the fact that a big chunk of CentOS 8 users are soldiering on with an unsupported OS, despite being aware of the risks. With that risk now crystallizing we're using this article to examine  CVE-2021-4122 , the newly discovered vulnerability in LUKS encryption, and to discuss your options for mitigating it. Wait, wha

End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts. They may also choose relatively weak passwords that satisfy company password policies but can be easily guessed or brute-forced. Your users may also inadvertently use  breached passwords  for their corporate account password. The  National Institute of Standards and Technology (NIST)  has a cybersecurity framework that helps organizations address common cybersecurity pitfalls in their environment, including weak, reused, and breached passwords. This post will take a closer look at the NIST password guidelines and see how you can effectively audit your password policies to ensure these meet the standards recommended by NIST. NIST Password Guidelines and Best Practices Specific guidance around passwords is addressed within the chapter titled  Memorized Secret Verifiers . NIST has several recommendations in regards to passwords