What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-12-15 20:55:00 | Patch maintenant: exploiter les supports d'activité pour dangereux Apache Struts 2 Bogue Patch Now: Exploit Activity Mounts for Dangerous Apache Struts 2 Bug (lien direct) |
Le CVE-2023-50164 est plus difficile à exploiter que le bug de Struts 2017 derrière la violation massive à Equifax, mais ne sous-estime pas le potentiel pour les attaquants de l'utiliser dans des attaques ciblées.
CVE-2023-50164 is harder to exploit than the 2017 Struts bug behind the massive breach at Equifax, but don\'t underestimate the potential for attackers to use it in targeted attacks. |
Threat | Equifax | ★★★ |
 |
2023-11-28 11:00:00 | Pour le manque de cyber ongle, le royaume est tombé For want of a cyber nail the kingdom fell (lien direct) |
An old proverb, dating to at least the 1360’s, states: "For want of a nail, the shoe was lost, for want of a shoe, the horse was lost, for want of a horse, the rider was lost, for want of a rider, the battle was lost, for want of a battle, the kingdom was lost, and all for the want of a horseshoe nail," When published in Ben Franklin’s Poor Richard’s Almanack in 1768, it was preceded by the cautionary words: “a little neglect may breed great mischief”. This simple proverb and added comment serve as emblematic examples of how seemingly inconsequential missteps or neglect can lead to sweeping, irreversible, catastrophic losses. The cascade of events resonates strongly within the increasingly complex domain of cybersecurity, in which the omission of even the most elementary precaution can result in a spiraling series of calamities. Indeed, the realm of cybersecurity is replete with elements that bear striking resemblance to the nail, shoe, horse, and rider in this proverb. Consider, for example, the ubiquitous and elementary software patch that may be considered the proverbial digital "nail." In isolation, this patch might seem trivial, but its role becomes crucial when viewed within the broader network of security measures. The 2017 WannaCry ransomware attack demonstrates the significance of such patches; an unpatched vulnerability in Microsoft Windows allowed the malware to infiltrate hundreds of thousands of computers across the globe. It wasn\'t just a single machine that was compromised due to this overlooked \'nail,\' but entire networks, echoing how a lost shoe leads to a lost horse in the proverb. This analogy further extends to the human elements of cybersecurity. Personnel tasked with maintaining an organization\'s cyber hygiene play the role of the "rider" in our metaphorical tale. However, the rider is only as effective as the horse they ride; likewise, even the most skilled IT professional cannot secure a network if the basic building blocks—the patches, firewalls, and antivirus software—resemble missing nails and shoes. Numerous reports and studies have indicated that human error constitutes one of the most common causes of data breaches, often acting as the \'rider\' who loses the \'battle\'. Once the \'battle\' of securing a particular network or system is lost, the ramifications can extend much further, jeopardizing the broader \'kingdom\' of an entire organization or, in more extreme cases, critical national infrastructure. One glaring example that serves as a cautionary tale is the Equifax data breach of 2017, wherein a failure to address a known vulnerability resulted in the personal data of 147 million Americans being compromised. Much like how the absence of a single rider can tip the scales of an entire battle, this singular oversight led to repercussions that went far beyond just the digital boundaries of Equifax, affecting millions of individuals and shaking trust in the security of financial systems. | Ransomware Data Breach Malware Vulnerability | Wannacry Wannacry Equifax Equifax | ★★ |
|
2023-10-19 10:00:00 | Pourquoi les organisations ne détectent-elles pas les menaces de cybersécurité? Why are organizations failing to detect cybersecurity threats? (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. With the changing security landscape, the most daunting task for the CISO and CIO is to fight an ongoing battle against hackers and cybercriminals. Bad actors stay ahead of the defenders and are always looking to find new vulnerabilities and loopholes to exploit and enter the business network. Failing to address these threats promptly can have catastrophic consequences for the organization. A survey finds that, on average, it takes more than five months to detect and remediate cyber threats. This is a significant amount of time, as a delayed response to cyber threats can result in a possible cyber-attack. One can never forget the devastating impacts of the Equifax breach in 2017 and the Target breach in 2013 due to delayed detection and response. This is concerning and highlights the need for proactive cybersecurity measures to detect and mitigate rising cyber threats. Amidst this, it\'s also crucial to look into why it is challenging to detect cyber threats. Why do organizations fail to detect cyber threats? Security teams are dealing with more cyber threats than before. A report also confirmed that global cyber attacks increased by 38% in 2022 compared to the previous year. The increasing number and complexity of cyber-attacks make it challenging for organizations to detect them. Hackers use sophisticated techniques to bypass security systems and solutions - like zero-day vulnerabilities, phishing attacks, business email compromises (BEC), supply chain attacks, and Internet of Things (IoT) attacks. Some organizations are unaware of the latest cyber threat trends and lack the skills and resources to detect them. For instance, hackers offer professional services like ransomware-as-a-service (RaaS) to launch ransomware attacks. Surprisingly, two out of three ransomware attacks are facilitated by the RaaS setup, but still, companies fail to have a defensive strategy against them. Enterprises relying on legacy devices and outdated software programs are no longer effective at recognizing certain malicious activities, leaving the network vulnerable to potential threats. Additionally, the lack of trained staff, insider threats, and human errors are other reasons why many organizations suffer at the hands of threat actors. Besides this, much of the company\'s data is hidden as dark data. As the defensive teams and employees may be unaware of it, the hackers take complete advantage of dark data and either replicate it or use it to fulfill their malicious intentions. Moreover, cloud migration has rapidly increased in recent years, putting cybersecurity at significant risk. The complexity of the cloud environments, poorly secured remote and hybrid work environments, and sharing security responsibilities between cloud service providers and clients have complicated the situation. In addition, cloud vulnerabilities, which have risen to 194% from the previous year, have highlighted the need for organizations to look out for ways to strengthen their security infrastructure. Security measures to consider to prevent cyber threats Since businesses face complex cyber threats, mitigating them require | Ransomware Data Breach Tool Vulnerability Threat Cloud | Equifax | ★★ |
 |
2023-10-16 11:41:41 | Equifax a condamné à une amende de 13,5 millions de dollars par rapport à la violation de données 2017 Equifax Fined $13.5 Million Over 2017 Data Breach (lien direct) |
> La Watchdog financier de l'UK \'s FCA impose A & Pound; 11 millions (environ 13,5 millions de dollars) amende à Equifax sur la violation de données de 2017.
>UK\'s financial watchdog FCA imposes a £11 million (approximately $13.5 million) fine to Equifax over the 2017 data breach. |
Data Breach Legislation | Equifax | ★★ |
 |
2023-10-13 18:15:00 | Les amendes britanniques Equifax 13,6 millions de dollars pour la violation de données 2017 UK fines Equifax $13.6 million for 2017 data breach (lien direct) |
Vendredi, la société britannique de rédaction de crédit a été condamnée à une amende et à 11 164 400 (environ 13,6 millions de dollars) par un régulateur britannique pour avoir permis aux pirates d'accéder à des informations personnelles de millions de personnes en 2017. Environ 13,8 millions de consommateurs britanniques ont été touchés dans l'incident, selonà la Financial Conduct Authority, et il reste l'un des
The UK arm of credit reporting firm Equifax was fined £11,164,400 (about $13.6 million) on Friday by a British regulator for allowing hackers to access personal information of millions of people in 2017. About 13.8 million UK consumers were affected in the incident, according to the Financial Conduct Authority, and it remains one of the |
Data Breach Legislation | Equifax | ★★★ |
 |
2023-10-13 13:05:49 | Equifax Scores & Pound; 11,1m Slap à la poignet sur la méga brèche 2017 Equifax scores £11.1M slap on wrist over 2017 mega breach (lien direct) |
pas tout à fait une livre pour chacun des 13,8 millions de citoyens britanniques touchés, et il aurait pu être plus La Financial Dilan Authority (FCA) du Royaume-Uni a infligé une amende à Equifax A Smidge Over & Pound; 11 millions (13,6 millions de dollars) pour des défaillances graves qui mettent des millions de consommateurs à risque de crime financier…
Not quite a pound for every one of the 13.8 million affected UK citizens, and it could have been more The UK\'s Financial Conduct Authority (FCA) has fined Equifax a smidge over £11 million ($13.6 million) for severe failings that put millions of consumers at risk of financial crime.… |
Equifax | ★★ | |
 |
2023-10-13 11:45:00 | Amendes du régulateur britannique Equifax & Pound; 11m pour la violation de données 2017 UK Regulator Fines Equifax £11m for 2017 Data Breach (lien direct) |
La FCA britannique a tenu Equifax Ltd responsable de ne pas protéger les données des consommateurs britanniques détenues par sa société mère basée aux États-Unis
The UK FCA held Equifax Ltd responsible for failing to protect UK consumer data held by its US-based parent company |
Data Breach | Equifax | ★★ |
 |
2023-09-07 11:09:35 | L'outil de pirate pour obtenir des données personnelles des bureaux de crédit The Hacker Tool to Get Personal Data from Credit Bureaus (lien direct) |
Le nouveau site 404 Media a un bon article sur la façon dont les pirates obtiennent à moindre coût les informations personnelles des bureaux de crédit:
C'est le résultat d'un criminel d'armes secret vend l'accès en ligne qui semble exploiter un ensemble de données particulièrement puissant: l'en-tête de crédit de la cible.Il s'agit d'informations personnelles que les bureaux de crédit Experian, Equifax et TransUnion ont sur la plupart des adultes en Amérique via leurs cartes de crédit.Grâce à un réseau complexe d'accords et d'achats, ces données se déplacent des bureaux de crédit à d'autres sociétés qui l'offrent aux collecteurs de dettes, aux compagnies d'assurance et aux forces de l'ordre ...
The new site 404 Media has a good article on how hackers are cheaply getting personal information from credit bureaus: This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement... |
Tool | Equifax | ★★ |
 |
2023-05-22 16:42:00 | Vos API fuient les données sensibles? Are Your APIs Leaking Sensitive Data? (lien direct) |
Ce n'est pas un secret que les fuites de données sont devenues une préoccupation majeure pour les citoyens et les institutions à travers le monde.Ils peuvent causer de graves dommages à la réputation d'une organisation, induire des pertes financières considérables et même avoir de graves répercussions légales.Du tristement célèbre scandale de Cambridge Analytica à la violation de données d'Equifax, il y a eu des fuites assez très médiatisé
It\'s no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization\'s reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive |
Equifax Equifax | ★★★ | |
|
2023-02-14 12:06:06 | What Will It Take? (lien direct) | What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problems? It's not enough for the average person to be afraid of cyberattacks. They need to know that there are engineering fixes—and that's something we can provide. For decades, I have been waiting for the “big enough” incident that would finally do it. In 2015, Chinese military hackers hacked the Office of Personal Management and made off with the highly personal information of about 22 million Americans who had security clearances. In 2016, the Mirai botnet leveraged millions of Internet-of-Things devices with default admin passwords to launch a denial-of-service attack that disabled major Internet platforms and services in both North America and Europe. In 2017, hackers—years later we learned that it was the Chinese military—hacked the credit bureau Equifax and stole the personal information of 147 million Americans. In recent years, ransomware attacks have knocked hospitals offline, and many articles have been written about Russia inside the U.S. power grid. And last year, the Russian SVR hacked thousands of sensitive networks inside civilian critical infrastructure worldwide in what we're now calling Sunburst (and used to call SolarWinds)... | Ransomware | Equifax Equifax Solardwinds | ★★ |
|
2023-02-01 12:00:00 | Cyber Insights 2023: ICS and Operational Technology (lien direct) | >The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced. | Industrial | Equifax | ★★★ |
|
2022-12-20 20:08:40 | The Equifax Breach Settlement Offer is Real, For Now (lien direct) | Millions of people likely just received an email or snail mail notice saying they're eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money. | Equifax Equifax | ★★ | |
|
2022-08-23 17:30:00 | Ex-Security Chief Accuses Twitter of Cybersecurity Negligence (lien direct) | Peiter Zatko admitted that he “reasonably feared Twitter could suffer an Equifax-level hack” | Equifax | ||
 |
2022-08-16 02:00:00 | The 12 biggest data breach fines, penalties, and settlements so far (lien direct) | Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don't properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach. Now, the Equifax fine has been eclipsed by the $1.19 billion fine levied against the Chinese firm Didi Global for violating that nation's data protection laws, and by the $877 million fine against Amazon last year for running afoul of the General Data Protection Regulation (GDPR) in Europe.To read this article in full, please click here | Data Breach | Equifax Equifax | |
|
2022-06-14 02:00:00 | Vulnerability management mistakes CISOs still make (lien direct) | Multiple breaches, including the massive 2017 data breach at the credit reporting agency Equifax, have been traced back to unpatched vulnerabilities-a 2019 Tripwire study found that 27% of all breaches were caused by unpatched vulnerabilities, while a 2018 Ponemon study put the number at a jaw-dropping 60%.To read this article in full, please click here | Data Breach | Equifax | |
 |
2022-04-14 19:54:44 | Incomplete Fix for Apache Struts 2 Vulnerability (CVE-2021-31805) Amended (lien direct) | FortiGuard Labs is aware that the Apache Software Foundation disclosed and released a fix for a potential remote code execution vulnerability (CVE-2021-31805 OGNL Injection vulnerability ) that affects Apache Struts 2 on April 12th, 2022. Apache has acknowledged in an advisory that the fix was issued because the first patch released in 2020 did not fully remediate the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on April 12th, 2022, warning users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible. Why is this Significant?This is significant because Apache Struts is widely used and successfully exploiting CVE-2021-31805 could result in an attacker gaining control of a vulnerable system. Because of the potential impact, CISA released an advisory urging users and administrators to review the security advisory "S2-062" issued by Apache and upgrade to the latest released version as soon as possible.On the side note, an older Struts 2 OGNL Injection vulnerability (CVE-2017-5638) was exploited in the wild that resulted in a massive data breach of credit reporting agency Equifax in 2017.What is Apache Struts 2?Apache Struts 2 is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model-view-controller (MVC) architecture.What is CVE-2021-31805?CVE-2021-31805 is an OGNL injection vulnerability in Struts 2 that enables an attacker to perform remote code execution on a vulnerable system. The vulnerability was originally assigned CVE-2020-17530, however CVE-2021-31805 was newly assigned to the vulnerability as some security researchers found a workaround for the original patch released in 2020.The vulnerability is described as "some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation."What Versions of Apache Struts are Vulnerable to CVE-2021-31805?Struts 2.0.0 - Struts 2.5.29 are vulnerable.Struts 2.0.0 and 2.5.29 were released in 2006 and 2022 respectively. Has the Vendor Released a Patch for CVE-2021-31805?Yes, Apache released a fixed version (2.5.30) of Apache Struts 2 on April 12th, 2022.Users and administrators are advised to upgrade to Struts 2.5.30 or greater as soon as possible.Has the Vendor Released an Advisory?Yes, Apache released an advisory on April 12th, 2022. See the Appendix for a link to "Security Bulletin: S2-062".What is the Status of Coverage?FortiGuard Labs provides the following IPS coverage for CVE-2020-17530, which applies for CVE-2021-31805:Apache.Struts.OGNL.BeanMap.Remote.Code.Execution | Data Breach Vulnerability Guideline | Equifax Equifax | |
 |
2022-01-05 19:00:03 | FTC to Go After Companies that Ignore Log4j (lien direct) | Companies that fail to protect secure consumer data from Log4J attacks are at risk of facing Equifax-esque legal action and fines, the FTC warned. | Equifax | ||
 |
2022-01-05 16:37:54 | FTC threatens “legal action” over unpatched Log4j and other vulns (lien direct) | Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory! | Equifax Equifax | ||
 |
2021-09-23 08:55:21 | Application Security Testing Evolution and How a Software Bill of Materials Can Help (lien direct) | Early in my career, I developed web applications. At the time there were practically no frameworks or libraries to help. I was coding with Java using raw servlets and JSPs – very primitive by today's standards. There was no OWASP Top 10 and writing secure code was not something we paid much attention to. I specifically remember coding an open redirect years ago. I didn't know it was a vulnerability at the time. In my mind, it was a great feature for my Java servlet to recognize a special query string parameter that, if present, would trigger a redirection to the given URL! Interestingly, a dynamic scan or penetration test of the application would not have found my vulnerability. The name of the parameter was undocumented and not easy to guess. On the other hand, static application security testing (SAST) or a manual code review would have found it. My first stint at Veracode was in 2012, after six years working as an application security consultant. It was exciting to join an up-and-coming company on the cutting-edge of AppSec testing. Since then, open source software has grown enormously and proliferated in all aspects of application development. Building apps today is faster because of how easy it is to integrate these components into our own projects. Package managers and open source registries like Maven repository, NPM registry, PyPI, and RubyGems.org provide a way for developers to quickly access and leverage a rich plethora of ready-to-use libraries and frameworks. The downside with this model of building applications is that vulnerabilities present in open source components are inherited by our software as well. This has resulted in many data breaches over the years (Equifax via Apache Struts comes to mind). One of the reasons I recently re-joined Veracode is to have the opportunity work with a premier Software Composition Analysis (SCA) tool. SCA is complementary to SAST. While SAST checks 1st-party code for security flaws, SCA looks at 3rd-party code like open source libraries. In terms of the OWASP Top 10, this falls under OWASP #9 – Using Components with Known Vulnerabilities. If your application is using a vulnerable component, it's not necessarily your fault. The vulnerable component may be present because a library that your code is using directly has a dependency on another library. This is called a transitive dependency. Transitive dependencies are pulled in automatically by build systems, aka package managers. Data from our State of Software Security: Open Source Edition report shows that 71 percent of applications have a vulnerability in an open source library on initial scan, and that nearly half of those (47 percent) are transitive. Now let's talk about a software bill of materials (SBOM). An SBOM lists the individual components that are included in a piece of software. This can help with identifying vulnerabilities or license risks that may affect your organization. The concept of an SBOM is not new, but it's garnered much more interest lately due to the recent U.S. Cybersecurity Executive Order. One of its requirements is having an SBOM for all critical software sold to the federal government. There are different SBOM specifications in the marketplace today. I will focus on CycloneDX, which was recently accepted as a flagship OWASP project. CycloneDX is a security-focused SBOM specification and capable of describing the following types of components: Application Container Device File Firmware Framework Library Operating System Service CycloneDX's supported data formats are XML, JSON, and Protobuf. Here's an example of a CycloneDX SBOM in JSON format: Right away we can see that the software represented by this SBOM includes one library –Apache's Commons Collections ver | Vulnerability | Equifax | |
 |
2021-09-09 10:25:08 | Jenkins discloses attack on its Atlassian Confluence service (lien direct) | The open source automation server Jenkins has disclosed a successful attack on its Confluence service. Attackers abused an Open Graph Navigation Library (OGNL) injection flaw – the same vulnerability type involved in the notorious 2017 Equifax hack – capable of leading to remote code execution (RCE) in Confluence Server and Data Center instances. Rated CVSS […] | Hack Vulnerability Guideline | Equifax Equifax | |
|
2021-07-01 18:56:42 | Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax (lien direct) | Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month. Intuit says the change is tied to an "exciting" and "free" new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit. | Equifax Equifax | ||
|
2021-04-08 15:06:39 | Library Dependencies and the Open Source Supply Chain Nightmare (lien direct) | 
It's a bigger problem than is immediately apparent, and has the potential for hacks as big as Equifax and as widespread as SolarWinds.
|
Equifax Equifax | ||
|
2021-02-24 13:30:31 | Dangers of Only Scanning First-Party Code (lien direct) |  When it comes to securing your applications, it???s not unusual to only consider the risks from your first-party code. But if you???re solely considering your own code, then your attack surface is likely bigger than you think.
Our recent State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries. That means your attack surface is exponentially larger than just the code written in-house. Yet a study conducted by Enterprise Strategy Group (ESG) established that less than half of organizations have invested in security controls to scan for open source vulnerabilities.
If the majority of applications are made up of open source libraries, why are most organizations only scanning their first-party code? Because most organizations assume that third-party code was already scanned for vulnerabilities by the library developer. But you can???t base the safety of your applications on assumptions. Our State of Software Security: Open Source Edition report revealed that approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
Over the years, several organizations have learned the hard way just how dangerous it is to only scan first-party code.
In 2014, the notorious open source vulnerability ??? Heartbleed ??? occurred. Heartbleed was the result of a flaw in OpenSSL, a third-party library that implemented the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. The vulnerability enabled cyberattackers to access over 4.5 million healthcare records from Community Health Systems Inc.
In 2015, there was a critical vulnerability in Glibc, a GNU C library. The open source security vulnerability nicknamed ???Ghost,??? affected all Linux servers and web frameworks such as Python, PHP, Ruby on Rails as well as API web services that use the Glibc library. The vulnerability made it possible for hackers to compromise applications with a man-in-the-middle attack.
In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
On the good news front: Close to 74 percent of open source flaws can be fixed with an update like a revision or patch. Even high-priority open source flaws don???t require extensive refactoring of code ??? close to 91 percent can be fixed with an update. Equifax had to pay up to $425 million to help people affected by the data breach that the court deemed ???entirely preventable.??? In fact, it was discovered that the breach could have been avoided with a simple patch to its open source library, Apache Struts.
Don???t become a victim to the monsters lurking in your third-party libraries. Download our whitepaper Accelerating Software Development with Secure Open Source So |
Data Breach Vulnerability | Equifax Equifax | |
|
2021-01-12 11:00:00 | Why cybersecurity awareness is a team sport (lien direct) |
Image Source
This blog was written by an independent guest blogger.
Cybersecurity may be different based on a person's viewpoint. One may want to simply protect and secure their social media accounts from hackers, and that would be the definition of what cybersecurity is to them. On the other hand, a small business owner may want to protect and secure credit card information gathered from their point-of-sale registers and that is what they define as cybersecurity.
Despite differences in implementation, at its core, cybersecurity pertains to the mitigation of potential intrusion of unauthorized persons into your system(s). It should encompass all aspects of one’s digital experience--whether you are an individual user or a company.
Your cyber protection needs to cover your online platforms, devices, servers, and even your cloud storage. Any unprotected area of your digital journey can serve as an exploit point for hackers and cyber criminals intent on finding vulnerabilities.
People assume that it is the responsibility of the IT Department to stop any intrusion. That may be true up to a certain point, cybersecurity responsibility rests with everyone, in reality.
Cybersecurity should be everybody’s business.
The cybersecurity landscape is changing. With 68% of businesses saying that their cybersecurity risks have increased, it is no wonder that businesses have been making increased efforts to protect from, and mitigate attacks.
During the height of the pandemic, about 46% of the workforce shifted to working from home. We saw a surge in cybersecurity attacks - for example, RDP brute-force attacks increased by 400% around the same time.
This is why cybersecurity must be and should be everybody’s business. According to the 2019 Cost of Cybercrime Study, cyberattacks often are successful due to employees willingly participating as an internal actors or or employees and affiliates carelessly clicking a link by accident.
Sadly, it is still happening today. Unsuspecting employees can be caught vulnerable and cause a corporate-wide cyberattack by opening a phishing email or bringing risks into the company’s network in a BYOD (Bring Your Own Device) system.
Just a decade ago, Yahoo experienced a series of major data breaches, via a backdoor to their network system established by a hacker (or a group of hackers). Further digital forensic investigation shows the breach started from a phishing email opened by an employee.
Another example was Equifax when it experienced a data breach in 2017 and was liable for fines amounting to $425 million by the Federal Trade Commission (FTC).
Companies continue to double up on their investments in cybersecurity and privacy protection today to ensure that incidents like these do not happen to their own networks. But a network is only as strong as its weakest link. Hackers continue to innovate, making their attacks more and mo |
Ransomware Data Breach Malware Vulnerability Guideline | Equifax Equifax Yahoo Yahoo | |
|
2021-01-08 19:00:08 | Equifax Buys Fraud Prevention Firm Kount in $640 Million Deal (lien direct) | Equifax on Friday announced plans to shell out $640 million to acquire Kount, a company that sells e-commerce retail fraud protection. The Atlanta, Ga.-based Equifax said the deal would expand its worldwide footprint in digital identity and fraud prevention solutions. | Equifax Equifax | ||
|
2021-01-05 13:25:00 | Nature vs. Nurture Tip 3: Employ SCA With SAST (lien direct) |  For this year???s State of Software Security v11 (SOSS) report, we examined how both the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like size or age ??? can have a negative effect on how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types ??? can have a positive effect on how long it takes to remediate security flaws.
In our first blog, Nature vs. Nurture Tip 1: Use DAST With SAST, we explored how organizations that combine DAST with SAST address 50 percent of their open security findings almost 25 days faster than organizations that only use SAST. In our second blog, Nature vs. Nurture Tip 2: Scan Frequently and Consistently, we addressed the benefits of frequent and consistent scanning by highlighting the SOSS finding that organization that scan their applications at least daily reduced time to remediation by more than a third, closing 50 percent of security flaws in 2 months.
For our third tip, we will explore the importance of software composition analysis (SCA) and how ??? when used in conjunction with static application security testing (SAST) ??? it can shorten the time it takes to address security flaws.
What is SCA and why is it important?
SCA inspects open source code for vulnerabilities. Some assume that open source code is more secure than first-party code because there are ???more eyes on it,??? but that is often not the case. In fact, according to our SOSS report, almost one-third of applications have more security findings in their third-party libraries than in primary code. Given that a typical Java application is 97 percent third-party code, this is a concerning statistic.
Since SCA is the only AppSec testing type that can identify vulnerabilities in open source code, if you don???t employ SCA, you could find yourself victim of a costly breach. In fact, in 2017, Equifax suffered a massive data breach from Apache Struts that compromised the data ??? including Social Security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent.
How can SCA with SAST shorten time to remediation?
If you are only using static analysis to assess the security of your code, your attack surface is likely bigger than you think. You need to consider third-party code as part of your attack surface, which is only uncovered by using SCA.
By incorporating software composition analysis into your security testing mix, you can find and address more flaws. According to SOSS, organizations that employ ???good??? scanning practices (like SCA with SAST), tend to be more mature and further along in their AppSec journey. And organizations with mature AppSec programs tend to remediate flaws faster. For example, employing SCA with SAST cuts ti |
Data Breach | Equifax | |
|
2020-11-10 09:10:27 | In the Financial Services Industry, 74% of Apps Have Security Flaws (lien direct) |  Over the past year, the financial services industry has been challenged with pivoting its operations to a fully digital model, putting the security of its software center stage. Despite the unanticipated pivot, our recent State of Software Security v11 (SOSS) report found that the financial services industry has the smallest proportion of applications with security flaws compared to other sectors, along with the second-lowest prevalence of severe security flaws, and the best security flaw fix rate.
But despite the impressive fix rate, the financial services industry is falling behind when it comes to the time to make those fixes. This is a troubling finding because speed matters in application security. The time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in days, sometimes even hours. Letting known vulnerabilities linger unfixed dramatically increases your risk. For instance, it was merely days between disclosure and exploitation of the vulnerability in the Apache Struts framework that led to theツ?Equifax breach.
By looking at the data, the reason for the delay in remediation becomes more clear. In the financial services sector, applications tend to be older than those in other industry sectors and the organizations are fairly large. Combined with these challenging factors, developers and security professionals in this industry aren???t regularly employing best practices consistent with DevSecOps and known to improve fix rates, such as scanning for security both frequently and regularly and using more than one testing type.
What does this mean for the financial services industry? The data suggests that for many financial services firms, developers face a challenging environment, with the adoption of additional DevSecOps practices showing the most opportunity for improvement in addressing security flaws.
And while talking about flaws, it???s worth noting that the most common security flaws in the financial services industry are information leakage, code quality, and CRLF injection. Injection flaws are especially important to keep an eye on since they???re the top web application security risk according to OWASP Top 10. On a positive note, the industry has lower than average cryptography, input validation, Cross-Site Scripting, and credentials management flaws.
For more information on software security trends in the financial services industry, check out The State of Software Security Industry Snapshot. |
Vulnerability | Equifax | |
 |
2020-10-13 03:01:09 | Shared Responsibility and Configuration Management in the Cloud: SecTor 2020 (lien direct) | A number of high-profile data breaches have resulted directly from misconfigured permissions or unpatched vulnerabilities. For instance, the 2017 Equifax breach was the result of exploiting an unpatched flaw in Apache Struts allowing remote code execution. More recently, the Capital One breach last year stemmed from a misconfigured web application firewall. Verizon's 2020 DBIR reported […]… Read More | Equifax | ||
|
2020-10-01 14:10:28 | 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws (lien direct) |  Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.
Why is it important to scan open source libraries?
For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ツ?ツ?ツ?
Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ツ?
Why aren???t more organizations scanning open source libraries?
If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.
What are your options for managing library security flaws?
First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.
So, when it comes to managing your library security flaws, the concentration should not just be, ???How |
Data Breach Tool Vulnerability | Equifax | |
 |
2020-03-26 14:54:41 | Q&A: Accedian\'s Michael Rezek on using \'Network Traffic Analysis\' to defend hybrid networks (lien direct) | Defending business networks isn't getting any easier. Companies can have the latest, greatest perimeter defenses, intrusion detection systems and endpoint protections – and attackers will still get through. Just ask Equifax or Capital One.Related: Why cybersecurity should reflect … (more…) | Equifax | ||
 |
2020-02-18 16:40:45 | A week in security (February 10 – 16) (lien direct) |
A roundup of the previous week's security news, including Malwarebytes' release of the 2020 State of Malware Report, online dating woes, Emotet infection vectors, ransomware attacks, and more.
Categories:
A week in security
Tags: accusoftCISOcoronavirusDellemotetEquifaxgigabytegridworkshelixHollywoodnude photosonline datingrobbinhoodstate of malware reportxHelper
(Read more...)
|
Ransomware Malware | Equifax | |
 |
2020-02-11 19:58:27 | China\'s Hacking Spree Will Have a Decades-Long Fallout (lien direct) | Equifax. Anthem. Marriott. OPM. The data that China has amassed about US citizens will power its intelligence activities for a generation. | Equifax | ★★★★★ | |
 |
2020-02-11 15:52:00 | China denies it was behind the Equifax hack, as four men charged for data breach (lien direct) | China has denied that it was behind the hack of Equifax in 2017, which saw the personal data of hundreds of millions of individuals stolen – including the names, birth dates and social security numbers for nearly half of all American citizens. Read more in my article on the Hot for Security blog. | Data Breach Hack | Equifax | |
 |
2020-02-11 15:16:59 | Chinese Government Hackers Implicated In Equifax Breach: What You Need To Know (lien direct) | Following the news yesterday that Chinese government hackers have been indicted for breaching Equifax in 2017, please see comment below from Sonatype CEO Wayne Jackson. The ISBuzz Post: This Post Chinese Government Hackers Implicated In Equifax Breach: What You Need To Know | Equifax | ||
|
2020-02-11 12:22:31 | CEO Comments On US Charges Four Chinese Military Officers Over Equifax Breach (lien direct) | Following the news regarding the US charging four Chinese military officers over the huge Equifax breach, Ambuj Kumar, CEO and co-founder of Fortanix commented below. The ISBuzz Post: This Post CEO Comments On US Charges Four Chinese Military Officers Over Equifax Breach | Equifax | ||
 |
2020-02-11 11:24:16 | Les Etats-Unis inculpent des agents chinois pour l\'un des plus gros piratages de l\'histoire (lien direct) | C'était en 2017 : une mystérieuse équipe de pirates mettait la main sur les données personnelles de 145 millions d'américains, à la suite du hack de l'agence de crédit Equifax. Les Etats-Unis viennent d'inculper quatre agents chinois dans cette affaire qui pourrait bien compliquer encore les relations diplomatiques entre Washington et Pékin.  |
Hack | Equifax | |
|
2020-02-11 11:07:39 | (Déjà vu) Chinese Military charged by U.S. for Equifax Breach (lien direct) | The U.S. Department of Justice announced today that four members of the Chinese People's Liberation Army (PLA) 54th Research Institute were charged for hacking the credit reporting agency Equifax in 2017. On January 28, 2020, a federal grand jury in Atlanta returned an indictment alleging that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊) broke […] | Equifax | ||
|
2020-02-11 03:25:52 | (Déjà vu) U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack (lien direct) | The U.S. Justice Department today unsealed indictments against four Chinese officers of the People's Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded. | Hack | Equifax | |
 |
2020-02-10 22:46:29 | Chinese Military personnel charged with hacking into credit reporting agency Equifax (lien direct) | The United States Department of Justice charged 4 Chinese military hackers with hacking into credit reporting agency Equifax. The United States Department of Justice officially charged 4 members of the China’s PLA's 54th Research Institute, a division of the Chinese military, with hacking into credit reporting agency Equifax. The four members of the Chinese military […] | Equifax | ||
|
2020-02-10 17:52:32 | How 4 Chinese Hackers Allegedly Took Down Equifax (lien direct) | The Department of Justice has pinned the Equifax hack on China. Here's how they did it, according the indictment. | Hack | Equifax | |
 |
2020-02-10 17:00:03 | Equifax: US charges four Chinese military officers over huge hack (lien direct) | Nearly 150m Americans had personal data compromised in the hack of credit rating giant Equifax. | Hack | Equifax | |
 |
2020-02-10 15:19:00 | DOJ charges four Chinese military hackers for Equifax hack (lien direct) | DOJ said the hackers stole data on Americans and Equifax's intellectual property. | Hack | Equifax | |
 |
2020-02-10 13:09:19 | (Déjà vu) U.S. Charges Chinese Military Hackers for Equifax Breach (lien direct) | The U.S. Department of Justice announced today that four members of the Chinese People's Liberation Army (PLA) 54th Research Institute were charged for allegedly hacking the credit reporting agency Equifax in 2017. [...] | Equifax | ||
|
2020-02-10 13:09:19 | U.S. Charges Chinese Mlitary Hackers for Equifax Breach (lien direct) | The U.S. Department of Justice announced today that four members of the Chinese People's Liberation Army (PLA) 54th Research Institute were charged for allegedly hacking the credit reporting agency Equifax in 2017. [...] | Equifax | ||
|
2020-02-10 07:57:01 | U.S. Charges 4 Chinese Military Hackers Over Equifax Data Breach (lien direct) | The United States Department of Justice today announced charges against 4 Chinese military hackers who were allegedly behind the Equifax data breach that exposed the personal and financial data of nearly 150 million Americans.
In a joint press conference held today with the Attorney General William Barr and FBI Deputy Director David Bowdich, the DoJ officials labeled the state-sponsored |
Data Breach | Equifax | |
|
2020-01-15 18:00:00 | 2017 Data Breach Will Cost Equifax at Least $1.38 Billion (lien direct) | Company agrees to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years. The 147 million US consumers affected by the breach have one week from today to file a claim. | Data Breach | Equifax | |
 |
2019-12-17 13:40:21 | La faille de sécurité d\'Equifax classée principale attaque réseau (lien direct) |  Rapport WatchGuard Q3 2019 : la vulnérabilité à l'origine de la faille Equifax, toujours largement utilisée ; 50% des attaques détectées sont des "zéro-day". Le dernier rapport en matière de sécurité Internet de WatchGuard révèle également une augmentation significative des malwares et autres attaques réseau, les malwares dits " Zero Day " représentant 50 % de l'ensemble des attaques détectées. |
Equifax | ||
|
2019-10-31 17:29:24 | Active Duty U.S. Military Now Gets Free Credit Monitoring (lien direct) | The FTC announced that starting October 31 active-duty U.S. Army service members and National Guard members will get free credit monitoring from the Equifax, Experian, and TransUnion nationwide credit reporting agencies. [...] | Equifax | ||
|
2019-10-30 09:51:54 | 10 percent of small businesses to impacted by Data breach (lien direct) | Data breaches hitting massive entities like Equifax, Facebook and Target grab headlines, but the impact on small businesses is just as severe with attacks causing bankruptcy or even forcing a firm to shutter its doors. A report issued by the National Cyber Security Alliance, based on a Zogby Analytics survey of 1,008 small businesses with up to […] | Data Breach | Equifax | |
|
2019-10-29 15:56:37 | Stalkerware developer dealt new blow by FTC (lien direct) |
A new government front has emerged against stalkerware-the US Federal Trade Commission. Following enforcement against Retina-X and its founder, what's next?
Categories:
Stalkerware
Tags: Capital Oneconsent agreementconsent orderdata breachdata breachesEquifaxFederal Trade CommissionFTCFTC Bureau of Consumer ProtectionMarriottMobileSpyMotherboardnational domestic violence hotlineNational Network to End Domestic ViolencePhoneSheriffRetina-XRetina-X StudiosstalkerwareStealthGenieTeenSafeUberUS Federal Trade CommissionVice
(Read more...)
|
Equifax Uber |
To see everything:
Our RSS (filtrered)
