Articles about Security

Thousands of Android apps have hard-coded secrets which means that a malicious actor -- and not necessarily a very skilled one -- could gain access to API keys, Google Storage buckets and unprotected databases and more.

Research from Cybernews shows that over half of 30,000 investigated apps are leaking secrets that could have huge repercussions for both app developers and their customers.

Continue reading →

A new study of SaaS usage among enterprises across the US, UK and Europe shows 74 percent report more than half of their applications are now SaaS-based, and 66 percent are spending more on SaaS applications today than a year ago.

The study by cybersecurity asset management company Axonius shows the increase in SaaS applications has resulted in more complexity and increased security risk in 66 percent of organizations, but 60 percent rank SaaS security fourth or lower on their list of current security priorities, and only 34 percent say they're worried about the costs associated with rising SaaS-based app usage.

Continue reading →

According to a recent IBM report the average cost of a data breach is now $4.35 million. If enterprises don't take steps to protect personal data effectively they risk losing not just money but also the trust of their customers.

We spoke to Saswata Basu, founder and CEO of 0Chain, to discuss how decentralized storage can help to address the problem.

Continue reading →

Google is not alone in offering so-called bug bounty programs which give financial incentives to contributors to track down vulnerabilities and security issues in its software. Now the company has launched a new initiative called the Open Source Software Vulnerability Rewards Program (OSS VRP).

As the name suggests, this new program focuses on Google's open source projects. The company is offering rewards of between $100 and $31,337, depending on the severity of the vulnerability.

Continue reading →

Your friends may not be willing to tell you that you're looking older, but facial recognition systems have no such reservations.

Face-recognition algorithms might struggle to identify you as the same person after just five years, according to the New Scientist.

Continue reading →

Earlier this month, messaging service Twilio suffered a serious data breach following a "sophisticated social engineering attack". After using phishing attacks on company employees, hackers were able to access user data, but it seems that the impact of the hack was more widespread.

Twilio has now revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Although the number of users affected by the breach is relatively small, the implications are very serious and will dent confidence in the company.

Continue reading →

Application security is becoming mainstream, and that's a good thing as it means that security testing is becoming an embedded aspect of the software development life cycle (SDLC). It also means that automated security testing tools are becoming faster, more sophisticated, and better integrated, so they're less likely to slow down developers or burden them with too many trivial findings or false positives.

But as good and necessary as AppSec testing tools are, it's not nearly enough simply to buy them and run them -- you need to buy the right ones and configure them correctly so that they help build security into your SDLC without bogging it down. It's important to implement a security strategy and a plan. It’s also important to employ developers with the skills to build trust into your software -- a concept known as 'holistic AppSec'.

Continue reading →

When an organization migrates its IT systems to the cloud -- and builds new applications in the cloud -- it relieves its security team of the responsibility of building and maintaining physical IT infrastructure. The shared security model of cloud dictates that cloud service providers (CSPs) such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure are responsible for the security of the physical infrastructure. Their customers are responsible for the secure use of cloud resources.

But embracing the cloud for building and managing new applications means security teams cannot deploy the traditional security technologies and processes they’ve long relied on to thwart cyberattacks. Cloud computing represents a paradigm shift in their roles and responsibilities and their approach to protecting sensitive data against falling into the wrong hands.

Continue reading →

A new report from Barracuda finds the volume of ransomware threats detected spiked between January and June of this year to more than 1.2 million per month.

Researchers have also seen a spike in the number of service providers that have been hit with a ransomware attack. The main targets, however, are still five key industries: education, municipalities, healthcare, infrastructure, and financial.

Continue reading →

Major cyberattacks still have the power to make headline news, yet reporting and indeed conviction rates for cybercrime remain low. It's perhaps not surprising then that rising numbers of young people are getting involved in these illegal activities.

We spoke to Simon Newman, International Cyber Expo Advisory Council member and CEO of the Cyber Resilience Centre for London, to get his views on what needs to be done to improve reporting and change the mindset of 'script kiddies' for the better.

Continue reading →

LastPass, the firm behind the eponymous password management software, has revealed that it fell victim to a security breach two weeks ago. Although the company is quick to point out that passwords stored by users have not been exposed, the incident remains hugely significant.

The hackers were able to breach the security of a developer account and took advantage of this to steal "source code and some proprietary LastPass technical information". While LastPass is at pains to stress that it has seen "no evidence that this incident involved any access to customer data or encrypted password vaults" it is an incident that will nonetheless dent user confidence.

Continue reading →

Six months after the Log4Shell vulnerability was made known, vulnerable instances remain accessible on the internet and people attempting to exploit them according to the latest Trustwave SpiderLabs Telemetry report.

Using data gathered from the Shodan device search engine, the report shows that as of June 9, 2022, 1,467 instances were vulnerable to Log4Shell. These vulnerable instances are from the Russian Federation, United States, and Germany with 266 (18 percent), 215 (15 percent), and 205 (15 percent) hosts, respectively.

Continue reading →

A new survey of over 300 UK security professionals shows 32 percent of respondents say they are kept awake by job stress, 25 percent by lack of opportunity, but only 22 percent by their organization suffering a cyberattack.

The study from The Chartered Institute of Information Security (CIISec) says organizations have been slow to adopt industry standards. Almost half (49 percent) don't follow the UK Government's Cyber Essentials practices, which provide basic best practice; and just 20 percent have formally adopted the NCSC's 'Ten steps to cyber security' guidance.

Continue reading →

After a tailing off during the pandemic, phishing is back, with more attacks spotted in the second quarter of this year than for the whole of 2021.

The latest phishing and malware report from Vade also shows that malware emails decreased 48 percent month-on-month -- down from 32.9 million in March to 17 million in April -- but rebounded 31 percent May, with 22.4 million malware-weaponized emails detected. June saw even higher malware volumes (28.9 million), a 29 percent increase from the previous month.

Continue reading →

New research from Venafi into the rise of nation-state cyberattacks and their links to geopolitics has revealed that two-thirds (64 percent) of security decision-makers suspect that their organization has been directly targeted or impacted by a nation state attack.

In addition, 77 percent believe we're in a perpetual state of cyberwar, while 66 percent of companies say they have changed their security strategy as a direct response to the war in Ukraine.

Continue reading →