Security News

Why Do User Permissions Matter for SaaS Security?
2023-01-09 12:57

The attack ended when security teams were able to terminate user access, although data which had already been downloaded remained in the threat actor's hands. SaaS user permissions allow app owners to limit a user's resources and actions based on the user's role.

Microsoft ends Windows 7 extended security updates on Tuesday
2023-01-08 16:06

Windows 7 Professional and Enterprise editions will no longer receive extended security updates for critical and important vulnerabilities starting Tuesday, January 10, 2023.The Extended Security Update program was the last resort option for customers who still needed to run legacy Microsoft products past their end of support on Windows 7 systems.

Schneier on Security Audiobook Sale
2023-01-06 20:04

A friend who writes technical books for people doing crafts, discovered that their book had been "Put on sale" and the company used it as an excuse to not pay the author their dues. In fact the company "Forgot" to even register the re-print run and sales.

CircleCI Urges Customers to Rotate Secrets Following Security Incident
2023-01-05 09:12

DevOps platform CircleCI on Wednesday urged its customers to rotate all their secrets following an unspecified security incident. "Immediately rotate any and all secrets stored in CircleCI," CircleCI's chief technology officer, Rob Zuber, said in a terse advisory.

CircleCI warns of security breach — rotate your secrets!
2023-01-05 05:39

CircleCI states it is currently investigating a security incident, according to email notifications being received by CircleCI users. Breach follows CircleCI's 'reliability' update.

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches
2023-01-04 19:50

So we though we'd take a quick look back at some of the major issues we covered over the last couple of weeks, and reiterate the serious security lessons we can learn from them. If you are ever stuck with doing a data breach notification, don't try to rewrite history to your marketing advantage.

Qualcomm Chipsets and Lenovo BIOS Get Security Updates to Fix Multiple Flaws
2023-01-04 10:47

Qualcomm on Tuesday released patches to address multiple security flaws in its chipsets, some of which could be exploited to cause information disclosure and memory corruption. The five vulnerabilities - tracked from CVE-2022-40516 through CVE-2022-40520 - also impact Lenovo ThinkPad X13s laptops, prompting the Chinese PC maker to issue BIOS updates to plug the security holes.

Attackers evolve strategies to outmaneuver security teams
2023-01-04 04:00

Once inside corporate networks, they move swiftly to target and exfiltrate high-value data, including data crucial to the organization, intellectual property, and personal identifiable information or sensitive PII. Structured and unstructured data are at risk. Attackers targeted structured data used in databases such as Oracle and Microsoft Azure SQL Server and for analytics in web platforms such as Databricks.

'Multiple security breaches' shut down trucker protest
2023-01-03 20:30

Canada Unity, one of the groups that organized last year's so-called Freedom Convoy during which truckers and others overtook Canadian city streets to protest mandatory COVID-19 vaccinations, has canceled a repeat demonstration planned for February 17 to 20, according to a press release posted to the group's Facebook page. "As a result of these security breaches that are beyond our control, I cannot in good conscience guarantee Public Safety as I promised, nor can I guarantee other Team Canada Unity Freedom Convoy National Partners that could be deemed as convoy organizers, protection from being charged under Ontario's Bill 100 Act," wrote James Bauder, one of the group's organizers, in a post that has since been removed.

Enforcement vs. Enrollment-based Security: How to Balance Security and Employee Trust
2023-01-03 14:09

An enforcement-based approach to security begins with a security policy backed by security controls, often heavy-handed and designed to prevent employees from engaging in risky behavior or inadvertently expanding the potential attack surface of an organization. Most organizations exclusively use enforcement-based security controls, usually carried out at the network level with a Cloud Access Security Broker or a Security Services Edge.