Security News

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission, alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers. To settle the SEC's charges, Blackbaud has agreed to pay a $3 million civil penalty for failing to disclose the full scope of the cyber attack.

"The threat actor was able to capture the employee's master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer's LastPass corporate vault," detailed the company´s recent security incident report. LastPass issued recommendations for affected users and businesses in two security bulletins.

Every year the personal data of millions of people, such as passwords, credit card details, or health details, fall into the hands of unauthorized persons through hacking or data processing errors by companies. In the EU, any data leak that may result in risks for the concerned individuals must be reported within 72 hours.

Multiple high-severity firmware bugs in HP enterprise computers remain unpatched, some more than a year after Binarly security researchers disclosed the vulnerabilities to HP and then discussed them at the Black Hat security conference last month. HP is "Aware of potential SMM vulnerabilities reported by Binarly," according to a spokesperson, who directed The Register to a security alert from March that addressed one of the bugs.

Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. Why can't the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don't have an ongoing relationship with the hardware and software providers that protect their funds­-nor do they have an incentive to update security on a regular basis.

Vulnerability disclosures impacting IoT devices increased by 57% in the first half of 2022 compared to the previous six months, according to a research by Claroty. The report also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities.

Palo Alto Networks' annual Unit 42 incident response report is out, warning of an ever-decreasing gap between vulnerability disclosures and an increase in cybercrime. "The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," the vendor says.

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. The speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited.

In this Help Net Security video, James Turgal, VP of Cyber Risk, Strategy and Board Relations at Optiv, discusses the proposed new SEC Cybersecurity Disclosure rule. The ruleset would require...

The European Union Agency for Cybersecurity publishes a map of national coordinated vulnerability disclosure policies in the EU Member States and makes recommendations. Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union.