Security News > 2020

FIDO protocol based hardware security devices are stronger and fool-proof mechanisms for authentication because it enables public-key cryptography to protect against advanced malware, phishing, and man-in-the-middle attacks. "In OpenSSH, FIDO devices are supported by new public key types' ecdsa-sk' and 'ed25519-sk', along with corresponding certificate types," the OpenSSH 8.2 release note says.

A team of cybersecurity researchers late last week disclosed the existence of 12 potentially severe security vulnerabilities, collectively named 'SweynTooth,' affecting millions of Bluetooth-enabled wireless smart devices worldwide-and worryingly, a few of which haven't yet been patched. All SweynTooth flaws basically reside in the way software development kits used by multiple system-on-a-chip have implemented Bluetooth Low Energy wireless communication technology-powering at least 480 distinct products from several vendors including Samsung, FitBit and Xiaomi.

A software vendor specializing in record-keeping tools for plastic surgery clinics poorly secured a storage bucket hosted by Amazon Web Services containing hundreds of thousands of sensitive patient photos and records. Infosec outfit ClearSky claims it has evidence of Iranian hackers, likely state backed, breaking into "Dozens of companies around the world in the past three years" by exploiting "Known vulnerabilities in systems with unpatched VPN and RDP services." The miscreants target businesses that provide IT services to others, allowing the intruders to menace thousands of customers, we're told.

The theft of access token represents a major API security risk moving forward, but also highlights how API risks can remain undetected for so long. API risk is rooted in a lack of visibility, not only into its traffic, but also into its flexible and powerful parameters, known as API specifications-or "Specs." DevOps and SecOps attempt to mitigate this risk by creating and maintaining API catalogs, which are a collection of its specs.

Enterprise security infrastructures average 80 security products, creating security sprawl and a big management challenge for SOC teams. With high volumes of data generated from security controls across the infrastructure, SOC teams often rely on Security Information and Event Management solutions to aggregate data and deliver insight into events and alerts.

Security professionals are overconfident in their tools with 50% reporting that they have experienced a security breach because one or more of their security products was not working as expected, according to Keysight. "Enterprises are faced with a continuous stream of cyberattacks that threaten their businesses, and in many cases they attempt to deal with these by buying more security tools. Yet they don't know whether these products are delivering the protection they expect," said Scott Register, vice president, security solutions at Keysight's Network Applications & Security Group.

We've all shared the frustration when it comes to errors - software updates that are intended to make our applications run faster inadvertently end up doing just the opposite. These bugs, dubbed in the computer science field as performance regressions, are time-consuming to fix since locating software errors normally requires substantial human intervention.

Even though people are embedding technology into their lives more than ever before, organizations' attempts to meet their needs and expectations can fall short. While some have referred to today's environment as a tech-lash, or backlash against technology, that term fails to acknowledge the extent to which society is using and benefitting from technology.

The new release features comprehensive analysis across the development lifecycle, including a new Pipeline Scan that is optimized for use when code is submitted to the build process. Veracode Static Analysis is part of the Veracode SaaS platform providing comprehensive software security analysis capabilities, developer enablement, and AppSec governance, including compliance frameworks and market-leading analytics.

A10 Networks announced it has delivered the industry's highest-performance virtual DDoS defense solution with its software version of the Thunder Threat Protection System solution, vThunder TPS. The enhanced vThunder TPS provides 100 Gbps throughput in a single virtual appliance and can be expanded to 800 Gbps with eight-way clustering. vThunder TPS is compact and efficient, allowing it to be deployed in next-generation mobile edge compute environments, conserving space and power while providing powerful DDoS protection.