Security News

Shopify has forked out $50,000 in a bug bounty payment to computer science student Augusto Zanellato following the discovery of a publicly available access token which gave world+dog read-and-write access to the company's source code repositories. "I found out that the user in question was a member of the Shopify organisation and that he had push and pull access to all the private Shopify repositories."

Veeam Software announced another quarter of double-digit growth with an annual recurring revenue increase of 26% year-over-year for Q2'21. Veeam delivered more than 20 new product releases including significant enterprise-grade feature updates over the last 18 months and several major releases in 1H'21 - Veeam Backup for Google Cloud Platform and Veeam Backup & Replication v11. "Now, more than ever, especially as ransomware attacks increase, data is the lifeblood of organizations. The need for Modern Data Protection to achieve operational objectives and business continuity is fueling the demand for Veeam's industry-leading solutions," said William H. Largent, Chief Executive Officer and Chairman of the Board at Veeam.

About one-quarter of respondents do not incorporate any of the listed measures to protect these devices and many feel as though consumers are not responsible for smart and IoT device security. On Wednesday, NordVPN released a report outlining the proliferation of smart devices and consumer sentiments regarding responsibility for protecting these devices.

The Cyberspace Administration of China has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The "Regulations on the Management of Network Product Security Vulnerability" are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.

An Israeli firm accused of supplying spyware to governments has been linked to a list of 50,000 smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports Sunday. The Post said 15,000 of the numbers on the list were in Mexico and included those of politicians, union representatives, journalists and government critics.

MI5's UK Annual Threat Update 2021 from director general Ken McCallum almost mirrors the threat warnings delivered by U.S. government agencies: ransomware and IP theft in cyber, and extreme right-wing terrorism amplified by online echo chambers. McCallum's view is, "For as long as it's cheap and easy for hostile actors to try to access UK data; or to cultivate initially-unwitting individuals here; or to spread false, divisive information - they are bound to keep doing so." The UK house also needs to be got in order - and in both cases the call is for new and stronger legislation.

Palo Alto Networks' Unit 42 has probed the methods and tactics of the Mespinoza ransomware group, finding its messaging "Cocky" and its tools blessed with "Creative names" - but turned up no evidence to suggest the group has shifted to ransomware-as-a-service. The Mespinoza group, while not as prolific as the better-known REvil, has enjoyed considerable success from its activities: Unit 42's investigation showed victims paying up to $470,000 per incident to unlock their files, primarily from targets in the US and UK - including an attack on Hackney Council in October last year.

On Wednesday, Atlas VPN released a report using Identity Theft Resource Center data, outlining personal data breaches for the first half of 2021. "Millions of individuals and organizations are affected every day by cyberattacks that threaten to steal sensitive data. Even though more people have become aware of cyber risks, hackers develop new techniques and malware to stay ahead of defense technologies," reads a portion of the blog post written by William S., an Atlas VPN publisher and cybersecurity researcher.

Much to the derision of expert commentators on social media, the COVID-Status Certification Review details the government's approach to so-called vaccine passports and its response to concerns over their usage. "Any decision to require COVID-status certification will be a discretionary choice for individual organisations to make. However, it is possible that certification could provide a means of keeping events going and businesses open if the country is facing a difficult situation in autumn or winter," it said.

CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March. CNA is considered the seventh-largest commercial insurance firm in the US based on stats from the Insurance Information Institute.