News

The Open Web Application Security Project (OWASP) has patched a vulnerability in its Enterprise Security API (ESAPI) that, if neglected, could have been abused to run path traversal attacks. The flaw, which had a security severity rating of 7.5 out of 10 and involved the ESAPI validator interface, can be resolved by applying the patched 2.3.0.0 release. Yaniv Balmas, VP of Research at Salt Security, notes that while the vulnerability is a relatively moderate one...

New research from the email security firm Inky has revealed that more than 1000 emails were sent from NHS inboxes over a six month period. The firm has claimed that the campaign, beginning October 2021, escalated "dramatically" in March of this year. After the findings were reported to the NHS on April 13, Inky reported that the volume of attacks fell significantly to just a "few". “The majority were fake new document notifications with malicious links...

The National Cyber Security Centre (NCSC), working alongside the Institute of Engineering and Technology (IET) and the UK's Centre for the Protection of National Infrastructure (CPNI), has developed new document providing best practices for those involved in the design, management, operation and security of building-related systems. The Code of Practice: Cyber Security in the Built Environment focuses on the security principles stakeholders should apply to a range of technologies in the built environment. “A building being...

The Securities and Exchange Commission (SEC) has made serious improvements to its in-house cryptocurrency and cybersecurity skills. The move comes as an attempt to improve investor confidence and enhance the transparency of listed companies. 20 additional positions have been added to the regulator's newly renamed Crypto Assets and Cyber Unit. Previously known as the Cyber Unit, the function sits in the Division of Enforcement, growing to 50 dedicated positions. While the SEC touted the previous...

  Armis, the unified asset visibility and security platform, disclosed five critical vulnerabilities, known as TLStorm 2.0, in the implementation of TLS communications in multiple models of network switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis), expanding the reach of TLStorm to millions of additional enterprise-grade network infrastructure devices.   In March 2022, Armis first disclosed TLStorm—three critical vulnerabilities in APC Smart-UPS devices....

Researchers at Sentinel Labs have identified a new cluster of malicious cyber activity tracked as Moshen drago, with its efforts aimed at telecommunication service providers in Central Asia. The new threat group does have overlaps with "RedFoxtrot" and "Nomad Panda," notably including the use of ShadowPad and PlugX malware variants, their activities' differentiate enough to follow the seperately. A new report from Sentinel Labs claims that Moshen Dragon is a skilled hacking group, able to...

Spyware has been found on the mobile phones of Pedro Sánchez, prime minister of Spain, and Margarita Robles, the country's minister of defence. The Spanish government revealed in a press conference given Monday morning that the phones had been infected withy Pegasus spyware, extracting data from both devices. Félix Bolaños, the minister for the presidency, said that the PM's phone was targeted in May and June 2021, while Robles's was illegally monitored in June 2021....

Europol has warned of a projected rise in the use of deepfake technology by organised crime organisations. Deepfakes involve the use of artificial intelligence to create realistic audio and audio-visual content “that convincingly shows people saying or doing things they never did, or create personas that never existed in the first place.” Facing Reality? Law enforcement and the challenge of deepfakes is the first published analysis of the Europol Innovation Lab's Observatory function, warning that...

Market analysts at GlobalData have predicted that global cybersecurity spending is set to increase by 58%, reaching $198bn by 2025. GlobalData claims that an increasingly tense geopolitical landscape and the COVID-19 pandemic has placed the advantage squarely in the hands of threat actors. Spending will be primarily directed towards software, followed by services and hardware. “The past few years have shown that no one, not even specialist cybersecurity providers themselves, is safe from attack. Cyber-attacks are...

KB4Con 2022 ended on a high point as it involved an individual many of the attendees had been excited to hear from – someone who is widely considered to have coined the term hacking. It was none other than computing security consultant, author, “one-time world-most wanted hacker” and Chief Hacking Officer at KnowBe4, Kevin Mitnick. Kevin, who attend virtually via Zoom, was joined on stage by Colin Murphy, Chief Information Officer at KnowBe4. The talk...