The Biden Administration published a new executive order (EO) to strengthen the digital security of U.S. federal government networks. Published on May 12 by The White House, the executive order covered much of what many media outlets reported would app…Read More New Executive Order Seeks to Strengthen Security of Federal Government Networks
After the introduction of CCPA and GDPR, much more attention is given to third-party risks, and the privacy terms and conditions users agree to. Global privacy regulations, such as the CCPA and GDPR, were enacted to ensure stricter standards when handling the personal data of consumers. As per these regulations, organizations can be held responsible […]
The post How Companies Need to Treat User Data and Manage Their Partners appeared first on Security Affairs.Read More How Companies Need to Treat User Data and Manage Their Partners
Canada’s new Semiconductor Council aims to bolster its homegrown semiconductor supply chain.
The post Industry leaders form new Semiconductor Council to strengthen Canada’s chip supply chain first appeared on IT World Canada.Read More Industry leaders form new Semiconductor Council to strengthen Canada’s chip supply chain
Latest episode – listen now! (And please share with your friends.)Read More S3 Ep31: Apple zero-days, Flubot scammers and PHP supply chain bug [Podcast]
The US Defense Department and third-party military contractors are being advised to strengthen the security of their operational technology (OT) in the wake of security breaches, such as the SolarWinds supply chain attack. The guidance comes from the N…Read More NSA offers advice: connecting OT to the rest of the net can lead to “indefensible levels of risk”
The Biden administration said it’s drafting an executive order to help the United States government better defend itself against digital supply chain attacks. A Step Up for Federal Procurement According to NPR, the executive order that’s being drafted …Read More Biden Administration Drafting EO to Help U.S. Gov’t Secure Digital Supply Chain
Third time lucky! (The first two times were lucky, too, luckily.)Read More PHP community sidesteps its third supply chain attack in three years
In December 2020, the world discovered that the SolarWinds’ Orion Platform had been compromised by cybercriminals, potentially affecting thousands of businesses the world over. Security groups such as the National Cyber Security Centre (NCSC) pro…Read More The Winds of Change – What SolarWinds Teaches Us
Embarrassed overreaction or righteous indignation? An academic research group has provoked the Linux crew to ban their whole university!Read More Linux team in public bust-up over fake “patches” to introduce bugs
Read More Backdoor Found in Codecov Bash Uploader
Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,” the company warned.
Codecov’s Bash Uploader is also used in several uploaders — Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step — and the company says these uploaders were also impacted by the breach…
Where were you when you first heard about the SolarWinds breach? It’s not unusual for information security professionals to learn about a breach. Keeping track of the news is part of the job. The SolarWinds attack, however, was different for two primar…Read More Securing Your Supply Chain with CIS and Tripwire
Expect to see a lot of supply chain attacks in 2021, experts warn.
The post MapleSEC Satellite 2021: Emerging threats are ready to target critical infrastructure first appeared on IT World Canada.
Read More Dependency Confusion: Another Supply-Chain Vulnerability
Today, developers at small or large companies use package managers to download and import libraries that are then assembled together using build tools to create a final app.
This app can be offered to the company’s customers or can be used internally at the company as an employee tool.
But some of these apps can also contain proprietary or highly-sensitive code, depending on their nature. For these apps, companies will often use private libraries that they store inside a private (internal) package repository, hosted inside the company’s own network…
Latest episode, listen now! (Includes special gardening safety section at no extra charge!)Read More S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast]
Ever counted how many external source code dependencies your fancy new software product has? Be prepared for a surprise!Read More How one man silently infiltrated dozens of high-tech networks
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:
Read More Chinese Supply-Chain Attack on Computer Systems
China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the …
It seems to be the season of sophisticated supply-chain attacks.
This one is in the NoxPlayer Android emulator:
Read More NoxPlayer Android Emulator Supply-Chain Attack
ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company’s official API (api.bignox.com) and file-hosting servers (res06.bignox.com).
Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server to deliver malware to NoxPlayer users.
Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn’t target all of the company’s users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users…
At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor — believed to be Chinese in origin — was using an already existing vulnerability in Orion to penetrate networks:
Read More Another SolarWinds Orion Hack
Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies…
Article by Adam Strange, Data Classification Specialist, HelpSystemsIn the digitally accelerated COVID-19 environment of 2021 what are the top data security trends that organisations are facing? Here is HelpSystems Data Classification Specialist, Adam …Read More Predicated Data Classification Trends for 2021