Security News > 2021

Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.

Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account.

If you visit GitHub today you'll be asked to authenticate anew because the code collaboration locker has squished a bug that sometimes "Misrouted a user's session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user." GitHub disclosed the problem today, explain that it could only happen under "Extremely rare circumstances" and "Occurred in fewer than 0.001% of authenticated sessions on GitHub.com."

Serverless architecture empowers organizations to build and deploy software at scale without in-house servers. In this article, we'll outline the key areas you should consider if you want to keep your serverless architecture secure.

Microsoft has revealed that its Azure IaaS platform now offers free a virtual trusted platform module. Dubbed "Azure Trusted Launch for virtual machines" and launched as a preview on March 8th, Microsoft's CTO for Azure Mark Russinovich said the new offering "Allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module to measure and attest to whether the boot was compromised."

These findings highlight an increased concern over identity-based threats and the need for user access visibility across the IT estate as organizations navigate their zero trust journey. For a workforce that is both remote and distributed, decision-makers expressed concern over malicious actors impersonating employees, alongside instances of inappropriate access to sensitive information.

49% of women cybersecurity pros in the U.S and U.K. also said COVID-19 had a positive impact on their career, with just 9% saying the pandemic negatively impacted their job. 89% of women working in cybersecurity said they feel secure in their jobs.

A team of researchers from the University of Illinois at Urbana-Champaign has published a paper detailing a new side-channel attack method that can be launched against devices with Intel CPUs. Following the disclosure of the Meltdown and Spectre vulnerabilities back in January 2018, researchers have increasingly focused on finding CPU side-channel attack methods - and in many cases they have been successful.

Although many public and private sector organizations have elements of SASE in their IT stack, only 12% worldwide currently have a comprehensive SASE architecture, according to NetMotion. VPN is the most widely deployed SASE solution, followed by WAN optimization, cloud secure web gateways, firewall-as-a-service and SD-WAN. Despite their hype over the last two years, ZTNA/SDP and edge content filtering are the least widely deployed SASE solutions, although filtering content at the edge is most prevalent in the US, perhaps driven by the need to ensure compliance and security amidst the growth in remote working.

Victims of a massive global hack of Microsoft email server software - estimated in the tens of thousands by cybersecurity responders - hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks. While the hack doesn't pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn't install the patch in time and now have hackers lingering in their systems.