News

Plus: Deep dive into the NSO Group's zero-click exploit and 'Hack the DHS!'

In Brief  VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product.…

Third major fix in ten days is an infinite recursion flaw rated 7.5/10

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.…

Report claims Huawei techs working for Chinese intelligence compromised Australian telco

Suspicions about the integrity of Huawei products among US government officials can be attributed in part to a 2012 incident involving a Huawei software update that compromised the network of a major Australian telecom company with malicious code, according to a report published by Bloomberg.…

Federal agencies have a week to get their systems patched

The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021.…

£200k Anglo-French heat-seeking missile does its thing

The RAF has scored its first air-to-air "kill" – where an aircraft downs an enemy aircraft – for almost 40 years after shooting down a drone over Syria.…

Workspace ONE Unified Endpoint Management can leak info via server-side request forgery

VMware customers have probably had a busy week because more than 100 of the IT giant's products are impacted by the Log4j bug.…

Meta adverse to internet mercenaries using its social networks to help governments violate human rights

Facebook successor Meta on Thursday said it canceled 1,500 social media accounts used by seven surveillance-for-hire firms to conduct online attacks against government critics and members of civil society.…

Security teams have a choice to make – and doing nothing is not an option

Paid Feature  Time waits for no one. But ransomware attackers do. Increasingly, cybercriminals are timing their attacks, detonating them when their victims are out of the office. This gives them the chance to inflict maximum damage, and explains why ransomware attacks surge on public holidays like Thanksgiving and Christmas. How do they do it, and what can under-staffed security teams do about it?…

App runs off a database, and databases are run by humans

British police have made a series of arrests over the past few months after people with apparent access to NHS databases allegedly sold fake vaccination status entries on the NHS vaccine passport app.…

The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them

Advertorial  The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.…

And potentially an increase in UK state-backed hacks

The British government has launched a £2.6bn National Cyber Strategy, intended to steer the state's thinking on cyber attack, defence and technology for the next three years – and there's some good news if you run a tech company.…

Looks a lot like a response to messaging services passing data through China

Social media and search engine operators in Japan will be required to specify the countries in which users' data is physically stored, under a planned tweak to local laws.…

But still allows limited harvesting

Meta has expanded its bug bounty program to include payouts for reports of scraping attacks on Facebook – but hold your applause.…

Microsoft says cyber-spies linked to Beijing, Tehran are getting busy with security flaw along with world + dog

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.…

Export controls aren't enough, Dems say: Bring on the Global Magnitsky Act

Eighteen US Democratic lawmakers have asked the Treasury Department and State Department to punish Israel-based spyware maker NSO Group and three other surveillance software firms for enabling human rights abuses.…

And online flea market had IDOR in an iOS-focused API

UK online used goods bazaar Gumtree exposed its users' home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.…

Round off the year with a large crop of fixes for programming blunders

Patch Tuesday  It's not just Log4j you need to worry about this week. It's the final Patch Tuesday of the year.…

Now open-source logging library's JNDI disabled entirely by default, message lookups removed

Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet.…

Here’s how to secure that ever-expanding attack surface

Paid Post  Serverless is revolutionizing software development, allowing organizations to produce applications which consume cloud resources only when they need to. Developing applications this way also dramatically reduces the amount of code to write while increasing the velocity of completed applications.…

Private equity owners play pass the parcel

One of the biggest beasts in the password management world, LastPass, is being spun out from parent LogMeIn as a "standalone cloud security" organisation.…