Security News > 2021

It's been almost a year since large parts of the workforce beat a hasty retreat from their offices, and began a mass experiment in working from home, often courtesy of Microsoft 365. After 12 or so months, it's safe to say that the case for productive remote working has been proved, and that many workers will continue to do so even when the all clear sounds.

Some commercial Nespresso machines in Europe that incorporate a smart card payment system can be manipulated to add unlimited funds to purchase coffee, thanks to reliance on technology that's been known to be insecure for more than a decade. In a coordinated vulnerability disclosure published this week, Polle Vanhoof, a security researcher, describes a vulnerability affecting unspecified Nespresso Pro machines equipped with a smart card reader: the problem? Some rely on outdated Mifare Classic smart cards.

Today, the security model utilized by nearly all organizations is so weak that the mere act of creating new data comes with the immutable assumption that such data will become public and subject to theft or misuse. If attackers gain access to a data center or network, they gain access to data.

In a rapidly changing business environment, the role of the CISO has hugely expanded in its scope and responsibilities, a BT Security survey of over 7000 business leaders, employees and consumers from across the world reveals. With the research also identifying security as the top priority for businesses after coronavirus, CISOs have never been more integral to business operations.

66% of organizations admit to having slowed the rollout of a new application into production because of API security concerns, a Salt Security report reveals. "In today's digital economy, APIs are the direct gateway to organizations' most critical data and assets. Built to enable customers and partners, these APIs create risk by also providing a path for attackers to follow. As APIs have grown in volume and functionality, they've made ever more attractive targets for hackers, driving up the number and sophistication of API attacks," said Roey Eliyahu, CEO at Salt Security.

Today's consumers are willing to trade their personal data for personalization, but also have fast-growing concerns about data privacy, according to a survey by Entrust. Further, 61% of consumers also indicated that they're at least somewhat willing to share personal information with an app in exchange for more transparency and control over their data.

Siemens has released patches for some of its SIMATIC human-machine interface panels to address a high-severity vulnerability that can be exploited remotely to take full control of a device. SIMATIC HMI panels are designed for operator control and the monitoring of machines and plants.

Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. Now, a finalized publication from NIST provides guidance to protect such controlled unclassified information from APTs.

The European Union Agency for Cybersecurity released its report on pseudonymisation for personal data protection, providing a technical analysis of cybersecurity measures in personal data protection and privacy. While not a new process, pseudonymisation came into the spotlight in 2018 with the enforcement of GDPR, which references it as a security and data protection by design mechanism.

Oxfam Australia investigates a suspected data breach after a threat actor claimed to be selling their database belonging on a hacker forum. Last week, BleepingComputer learned of a threat actor claiming to be selling a database containing the Oxfam Australia contact and donor information for 1.7 million people.