Hacker Summer Camp: Reboot needed to tackle software supply chain threats

Hacker Summer Camp: Reboot needed to tackle software supply chain threats

“Everything under heaven is in chaos. The situation is excellent!” That is how Mao Zedong, the chairman of China's Communist party, read the state of affairs in China in the early 1960s. As they weigh huge shifts in the number and nature of cyberthreats and contemplate substantial changes in their ... Read More
The big cybersecurity themes at Black Hat 2024 — and why they matter

The big cybersecurity themes at Black Hat 2024 — and why they matter

As tens of thousands of cybersecurity professionals, executives and policymakers converge on the Las Vegas strip for “Hacker Summer Camp”— the annual Black Hat, DEF CON and B-Sides conferences — the stakes couldn’t be higher. After all, 2024 is a year that has seen increasing levels of cyber disruption, from ... Read More
NSA: State-backed attackers are not after your data — they're targeting CI

NSA: State-backed attackers are not after your data — they’re targeting CI

Companies in the crosshairs of advanced persistent threat (APT) actors look at data theft not as a primary objective of hacking crews backed by Russia, China and Iran — but rather as a means to an end, the U.S. National Security Agency (NSA) told attendees at the annual RSA Conference ... Read More
Verizon 2024 DBIR: Software supply chain risks fuel a data breach epidemic

Verizon 2024 DBIR: Software supply chain risks fuel a data breach epidemic

In a dramatic shift, the 2024 version of the Verizon Business Data Breach Investigations Report (DBIR) sounds the alarm about the growing link between data breaches and the vulnerability of the software supply chain – and calls on enterprises to hold their software suppliers to a higher standard for software ... Read More
XZ Trojan highlights software supply chain risk posed by 'sock puppets'

XZ Trojan highlights software supply chain risk posed by ‘sock puppets’

The high-profile compromise of the XZ Utils open-source compression library, disclosed last week, highlights an under-reported threat: social engineering attacks that target open-source package maintainers and other developers to stage software supply chain attacks.  ... Read More
A software supply chain meltdown: What we know about the XZ Trojan

A software supply chain meltdown: What we know about the XZ Trojan

Security experts are sounding alarms about what some are calling the most sophisticated supply chain attack ever carried out on an open source project: a malicious backdoor planted in xz/liblzma (part of the xz-utils package), a popular open source compression tool ... Read More
How CISA’s secure software development attestation form falls short

How CISA’s secure software development attestation form falls short

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the White House’s Office of Management and Budget (OMB) have released their Secure Software Development Attestation Form, a long-anticipated worksheet that asks organizations that sell software and services to the federal government to attest to the security of their wares.  ... Read More
The Cloudflare source code breach: Lessons learned

The Cloudflare source code breach: Lessons learned

The high-profile web hosting company Cloudflare said last week that a sophisticated attacker gained access to code repositories used by the company, and made off with sensitive internal code. This was just the latest such attack targeting the firm.  ... Read More
Lessons from the Mercedes-Benz GitHub source code leak

Lessons from the Mercedes-Benz GitHub source code leak

The German automotive giant Mercedes-Benz found itself on the wrong end of a software supply chain incident after RedHunt Labs found a leaked GitHub token belonging to an employee of the carmaker that granted "'unrestricted’ and 'unmonitored'" access to the entirety of source code hosted on Mercedes’ internal GitHub Enterprise ... Read More
HPE, Microsoft breach disclosures mark new era of CISO accountability

HPE, Microsoft breach disclosures mark new era of CISO accountability

Disclosures about cybersecurity breaches by Microsoft and Hewlett Packard Enterprise (HPE) underscore the influence of two entities that are reshaping the cybersecurity landscape: the SVR and the SEC: Russia’s Foreign Intelligence Service and the U.S. Securities and Exchange Commission.  ... Read More

Application Security Check Up