Security News
On December 9, 2021, a tweet linking to a 0-day proof of concept exploit for the Log4Shell vulnerability on GitHub set the internet on fire and sent companies scrambling to mitigate, patch and then patch again as additional PoCs appeared. Public vulnerability disclosure - i.e., the act of revealing to the world the existence of a bug in a piece of software, a library, extension, etc.
Much is made of shared responsibility for cloud security. Some of this migration is to public clouds such as Amazon Web Services and Microsoft Azure.
The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state's website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.
Thingiverse, a site that hosts free-to-use 3D printer designs, has suffered a data breach - and at least 228,000 unlucky users' email addresses have been circulating on black-hat crime forums. News of the breach came from Have I Been Pwned, whose maintainer Troy Hunt uploaded the 228,000 breached email addresses to the site after being tipped off to their circulation on the forums.
Victims of ransomware attacks in the United States may soon have to report any payments to hackers within 48 hours, according to a new legislation proposal titled the 'Ransom Disclosure Act'. Require ransomware victims to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;.
Cybercriminals quickly started exploiting a vulnerability that affects routers and modems from many vendors that use the same underlying firmware. On August 3, cybersecurity firm Tenable published a blog post describing a vulnerability affecting routers that use firmware from Arcadyan, a Taiwan-based provider of networking solutions.
Bug hunters who want to help the US federal government secure their online assets can now source all the relevant information from a vulnerability disclosure policy platform offered by the Cybersecurity and Infrastructure Security Agency. "Through this crowdsourcing platform, Federal Civilian Executive Branch agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified," Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained.
The Cybersecurity and Infrastructure Security Agency today launched a new vulnerability disclosure policy platform for US federal civilian agencies. The newly launched VDP platform service allows Federal Civilian Executive Branch agencies to identify, monitor, and close security gaps in critical systems with the help of ethical hackers worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy platform. Working in collaboration with bug bounty platform Bugcrowd and government technology contractor Endyna, CISA introduced its VDP platform to help Federal Civilian Executive Branch agencies identify and address vulnerabilities in critical systems.
Adversaries are typically quick to take advantage of newly disclosed vulnerabilities, and they started scanning for vulnerable Microsoft Exchange Servers within five minutes after Microsoft's announcement, Palo Alto Networks reveals in a new report. Between January and March, threat actors started scanning for vulnerable systems roughly 15 minutes after new security holes were publicly disclosed, and they were three times faster when Microsoft disclosed four new bugs in Exchange Server on March 2.