Tag: Log4Shell
XZ Utils Scare Exposes Hard Truths in Software Security
The recent discovery of a backdoor in the XZ Utils data compression utility — present in nearly all major Linux distributions — is a...
Will Government Secure Open Source or Muck It Up?
Can open source software be regulated? Should it be regulated? And if so, will it lead to enhanced security? In mid-September, two government's approaches...
‘Gold Melody’ Access Broker Plays on Unpatched Servers’ Strings
A initial access broker (IAB) is still running rampant despite being tracked for seven years by researchers, and despite striking up a predictable tune...
Security Conferences Keep Us Honest
In August on a stage at Black Hat USA, I described in detail how Microsoft guest accounts could gain access to view and manipulate...
Iranian APT Hits US Aviation Org via ManageEngine, Fortinet Bugs
State-sponsored threat actors have exploited a US aeronautical organization, using known vulnerabilities in Zoho ManageEngine software and in Fortinet firewalls.The organization has not been...
Despite Post-Log4J Security Gains, Developers Can Still Improve
Developers are increasingly adopting security testing as part of the development pipeline, but companies still have room for improvement, with a minority of companies...
SBOMs Still More Mandate Than Security
Software bills of materials are having a moment.Following an executive order issued by the Biden administration in May 2021, the software manifests, which outline...
WordPress plugin lets users become admins – Patch early, patch often!
by Paul Ducklin If you run a WordPress site with the Ultimate Members plugin installed, make sure you’ve updated it...
Supply Chain Attack Defense Demands Mature Threat Hunting
The headlines have become a steady occurrence ... Kaseya, SolarWinds, 3CX, MOVEit, and there are sure to be others around the corner ... because...
Lazarus Group Striking Vulnerable Windows IIS Web Servers
The North Korean state-backed threat actor Lazarus Group has reinvented its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers...
Invicti Zooms In On Vulnerabilities That Plague Developers, Security Pros
Invicti's Patrick Vandenberg reveals findings from the company's latest AppSec report, looking at trends Invicti has recently observed and how they're evolving. Remote code...
SOSSA and CRA Spell Trouble for Open Source Software
Open source software (OSS) is mainstream today, but just because it's widely used doesn't mean it's widely understood. And this is especially true when...
AI Experts: Account for AI/ML Resilience & Risk While There’s Still Time
RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set...