Security News

A Tallinn man was arrested a week ago in Estonia under suspicion that he has exploited a government photo transfer service vulnerability to download ID scans of 286,438 Estonians from the Identity Documents Database. "During the searches, investigators found the downloaded photos from a database in the person's possession, along with the names and personal identification codes of the people," Oskar Gross, head of the police's cybercrime unit, said.

Every time there is another data breach, we are asked to change our password at the breached entity. A decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5. "You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary then you can essentially break 60-70 percent of the hashed passwords in a day or two," said Fabian Wosar, chief technology officer at security firm Emsisoft.

Criminals have hacked into a Gumtree-style website used for buying and selling firearms, making off with a 111,000-entry database containing partial information from a CRM product used by gun shops across the UK. The Guntrader breach earlier this week saw the theft of a SQL database powering both the Guntrader. Uk buy-and-sell website and its electronic gun shop register product, comprising about 111,000 users and dating between 2016 and 17 July this year.

A critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been under attack as a zero-day bug, researchers have disclosed. The exploitation prompted WooCommerce to release an emergency patch for the issue late on Wednesday.

Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year. Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers.

Personal news reader NewsBlur was down for several hours last week after a hacker managed to wipe the service's database. The hacker was able to gain access to the database while the RSS reader was being transitioned to Docker, which circumvented some firewall rules and opened the NewsBlur MongoDB database to the public.

SOC burnout is real: 3 preventative steps every CISO must takeFor those that spend every day as a security professional and for anyone who truly appreciates the demands applied to these essential security team members, burnout is a harsh reality. Cloud security skills in high demandCloud security is critically important for organizations across the globe as adoption of cloud infrastructure continues to grow at a rapid clip.

Google today announced the expansion of the Open Source Vulnerabilities database to include information on bugs identified in Go, Rust, Python, and DWF open source projects. Launched in February 2021 with details on thousands of vulnerabilities from Google's OSS-Fuzz project, the OSV database is meant to provide automated, improved vulnerability triage for both developers and users of open source software.

Google on Thursday introduced a unified vulnerability schema for open source projects, continuing its current campaign to shore up the security of open source software. The as-yet-unnamed vulnerability interchange schema aspires to bridge gaps that make it difficult to connect current, fragmented vulnerability databases by providing a common interchange format.

MITRE Engenuity has released ATT&CK Workbench, an open source tool that allows organizations to customize their local instance of the MITRE ATT&CK database of cyber adversary behavior. The tool allows users to add notes, and create new or extend existing objects - matrices, techniques, tactics, mitigations, groups, and software - with new content.