The supplier performance risk system (SPRS) is a database maintained by the DoD that “utilizes suppliers’ performance data in areas of product delivery and quality to rate performance and predict potential risk.”

The post Why SPRS Matters and 4 Steps to Improve Your Security Posture appeared first on Security Boulevard.

Even as manufacturers tackle convenience issues, the need for digital trust throughout EV infrastructure and ecosystems still remains.

The post Balancing Security and Convenience with EV Charging appeared first on Security Boulevard.

While many organizations are adopting AI at an alarming pace to gain efficiencies and lower operating costs through technology and headcount reduction, they may also be sacrificing their security.

The post Human Vigilance is Required Amid AI-Generated Cybersecurity Threats appeared first on Security Boulevard.

Social media content and AI training data are processed in outsource centres in the global south, where long hours, low pay and exposure to disturbing material are the norm

• James Muldoon, Mark Graham and Callum Cant: ‘AI feeds off the work of human beings’

Mercy craned forward, took a deep breath and loaded another task on her computer. One after another, disturbing images and videos appeared on her screen. As a Meta content moderator working at an outsourced office in Nairobi, Mercy was expected to action one “ticket” every 55 seconds during her 10-hour shift. This particular video was of a fatal car crash. Someone had filmed the scene and uploaded it to Facebook, where it had been flagged by a user. Mercy’s job was to determine whether it had breached any of the company’s guidelines that prohibit particularly violent or graphic content. She looked closer at the video as the person filming zoomed in on the crash. She began to recognise one of the faces on the screen just before it snapped into focus: the victim was her grandfather.

Mercy pushed her chair back and ran towards the exit, past rows of colleagues who looked on in concern. She was crying. Outside, she started calling relatives. There was disbelief – nobody else had heard the news yet. Her supervisor came out to comfort her, but also to remind her that she would need to return to her desk if she wanted to make her targets for the day. She could have a day off tomorrow in light of the incident – but given that she was already at work, he pointed out, she may as well finish her shift.

Continue reading...

💾

© Photograph: Yannick Tylle/Getty Images

💾

© Photograph: Yannick Tylle/Getty Images

Researchers claim to have uncovered what they claim is the biggest cache of stolen credentials ever found.

The post Researchers Discover Cache of Billion Stolen Passwords appeared first on Security Boulevard.

Spackle attack: Chinese company takes over widely used free web service—almost 400,000 websites at risk.

The post ‘Polyfill’ Supply Chain Threat: 4x Worse Than We Thought appeared first on Security Boulevard.

Ken Penders has finally published a "Lara-Su Chronicles" comic about the Archie Sonic characters. Bobby "Ponett" Schroeder reviews the contents and explains why this is legal.

On its 15th anniversary, the creators of FarmVille reflect on the compulsive cartoon farm sim that paved the way for a data-driven world

Facebook users of a certain age may remember a particularly forlorn farm animal popping up in their feeds during the platform’s heyday. The lonely cow would wander into FarmVille players’ pastures with its face twisted into a frown and its eyes shimmering with tears. “She feels very sad and needs a new home,” an accompanying caption read, asking you to adopt the cow or message your friends for help. Ignore the cow’s plea and it would presumably be left friendless and foodless. Message your friends about it, and you’d be accelerating the spread of one of the biggest online crazes of the 2010s.

Released 15 years ago, FarmVille was nothing short of a phenomenon. More than 18,000 players gave it a go on its first day, rising to 1 million by its fourth. At its peak in 2010, more than 80 million users logged in monthly to plant crops, tend animals and harvest goods for coins to spend on decorations. Celebrities professed their obsession, McDonald’s created a farm for a promotion, and long before artists released music on Fortnite, Lady Gaga debuted songs from her sophomore album through the cartoon farm sim. Not bad for a game that was stitched together in five weeks.

Continue reading...

💾

© Photograph: David J Green/Lifestyle/Alamy

💾

© Photograph: David J Green/Lifestyle/Alamy

Digital signatures are ideal for addressing today’s challenges, providing the robust security, flexibility and scalability that organizations require for a wide range of use cases.

The post Extending the Reach and Capabilities of Digital Signing With Standards appeared first on Security Boulevard.

As organizations look to improve their API security, two distinct approaches to API key verification have emerged — centralized and decentralized verification.

The post Understanding API Key Verification appeared first on Security Boulevard.

VOC enables teams to address the vulnerabilities that present the greatest risk to their specific attack surface before they can be exploited.

The post Smashing Silos With a Vulnerability Operations Center (VOC) appeared first on Security Boulevard.

While compliance frameworks establish baseline requirements for data protection, they may not always align with the rapidly evolving threat landscape.

The post Compliance, Security and the Role of Identity appeared first on Security Boulevard.

IT managers and CSOs need to rethink their approach to cybersecurity and protect their organizations from this new breed of AI-powered attacks.

The post Rethinking Cybersecurity in the Age of AI appeared first on Security Boulevard.

A survey of 706 IT and security professionals finds half are not very confident that they can stop a damaging security incident in the next 12 months, with 30% admitting they are less prepared to detect threats and respond to incidents than they were a year ago.

The post Survey Surfaces Growing Lack of Cybersecurity Confidence appeared first on Security Boulevard.

Man-in-the-middle attacks have increased in the age of digital connectivity and remote work, forcing companies to develop strategies to mitigate them.

The post Man-In-The-Middle Attacks are Still a Serious Security Threat appeared first on Security Boulevard.

While it's unlikely that quantum computers are currently in the hands of cybercriminals or hostile nation-states, they will be.

The post How to Achieve Crypto Resilience for a Post-Quantum World appeared first on Security Boulevard.

While SaaS apps enable better business operations, a secret threat is hiding in your SaaS stack: "Shadow IT.”

The post The Secret Threat Hiding in Your SaaS Stack: Shadow IT appeared first on Security Boulevard.

With new frameworks for cyber metrics and reporting being implemented globally, regulators have effectively elevated risk to the same level of board awareness as financial risks.

The post Boardroom Blindspot: How New Frameworks for Cyber Metrics are Reshaping Boardroom Conversations appeared first on Security Boulevard.

Qualys this week reported the discovery of a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH servers (sshd) that could potentially impact more than 14 million Linux systems.

The post Latest OpenSSH Vulnerability Might Impact 14M Linux Systems appeared first on Security Boulevard.

Tim looks grim: 10 year old vulnerabilities in widely used dev tool include a CVSS 10.0 remote code execution bug.

The post ‘Perfect 10’ Apple Supply Chain Bug — Millions of Apps at Risk of CocoaPods RCE appeared first on Security Boulevard.

To bolster digital security and resilience across the semiconductor supply chain, a critical first step is that organizations across the supply chain must re-orient their cybersecurity strategies.

The post Building Resilience in the Chip Supply Chain appeared first on Security Boulevard.

Instead, it rearranged power to enable some groups to gain at the expense of many others.

Companies that implement a holistic Cloud Native Application Protection Platform (CNAPP) position themselves for game-changing advantages.

The post Is Your Cloud Security a Mess? Five Problems CNAPP Can Cure appeared first on Security Boulevard.

Integrating mobile ID verification into digital payment systems marks a significant milestone in the evolution of digital commerce.

The post How Mobile ID Verification is Shaping the Future of Digital Payments appeared first on Security Boulevard.

Critical infrastructure and public sector organizations such as government and municipalities, manufacturing units, communication networks, transportation services, power and water treatment plants, et. al, have been battling a growing wave of breaches and cyberattacks.

The post 7 Steps To Secure Critical Infrastructure  appeared first on Security Boulevard.

SolarWinds hackers strike again: Remote access service hacked—by APT29, says TeamViewer.

The post ‘Russia’ Breaches TeamViewer — ‘No Evidence’ Billions of Devices at Risk appeared first on Security Boulevard.

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more. The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.” The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.”

The CocoaPods Vulnerabilities

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed. The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration. For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.” “By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin. Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.” Earlier in 2014, a change was committed to the CocoaPods ‘Trunk’ source code implementing MX record validation for registered emails. The changes created a new attack path that was identified by analyzing the registration flow, resulting in the CVE-2024-38366 vulnerability. The changes created a new verification process for the user-provided email address using the third-party Ruby gem package rfc-822, which can be attacked in a few ways, potentially resulting in attacks that could “dump pod owners’ session tokens, poison client’s traffic or even shut down the server completely.” In CVE-2024-38367, the researchers found they could spoof XFH headers to engineer a zero-click account takeover by defeating email security boundaries. “Using this method, we managed to take over the owner accounts of some of the most popular CocoaPods packages,” the researchers said. “Potentially we could have used these accounts for highly damaging supply chain attacks that could impact the entire Apple ecosystem.”

DevOps Teams: Get to Work

While the vulnerabilities have been patched, the work for developers and DevOps teams is just getting started. Developers and DevOps teams that have used CocoaPods in recent years - particularly before October 2023 - "should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said. “The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.” Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them. Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages. "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools."

While AI helps automatically detect and respond to rapidly evolving threats, XAI helps security professionals understand how these decisions are being made.

The post What is the Role of Explainable AI (XAI) In Security? appeared first on Security Boulevard.

The Cyber Trust Mark is a labeling initiative for consumer IoT devices in the United States that builds on work undertaken by the FCC and NIST, establishing data privacy and cybersecurity standards for connected devices.

The post Cyber Trust Mark: The Impacts and Incentives of Early Adoption appeared first on Security Boulevard.

As employers scramble to find or train security talent, organizations that ignore the inclusive approach may weaken their competitive posture in the battle for talent and overall security.

The post Cybersecurity Workforce Sustainability has a Problem. DEI Could be the Solution. appeared first on Security Boulevard.

Digital nomads go where the wind takes them around the globe, often working from coffee shops, co-working locations or public libraries. They rely on connecting to their work life via their mobile hotspot or public wi-fi connections.

The post Remote Rigor: Safeguarding Data in the Age of Digital Nomads appeared first on Security Boulevard.

AI promises considerable benefits however there’s still a lot of confusion surrounding the topic, particularly around the terms generative AI and predictive AI.

The post Generative AI vs. Predictive AI: A Cybersecurity Perspective appeared first on Security Boulevard.

A threat group dubbed Unfurling Hemlock infects targeted campaign with a single compressed file that, once executed, launches a 'cluster bomb' of as many as 10 pieces of malware that include loaders, stealers, and backdoors.

The post Unfurling Hemlock Tossing ‘Cluster Bombs’ of Malware appeared first on Security Boulevard.

Chinese fast-fashion-cum-junk retailer “is a data-theft business.”

The post Temu is Malware — It Sells Your Info, Accuses Ark. AG appeared first on Security Boulevard.

Microsoft details Skeleton Key, a new jailbreak technique in which a threat actor can convince an AI model to ignore its built-in safeguards and respond to requests for harmful, illegal, or offensive requests that might otherwise have been refused.

The post Skeleton Key the Latest Jailbreak Threat to AI Models: Microsoft appeared first on Security Boulevard.

Navigating the landscape of customer interactions is a delicate balancing act that requires constant calibration between security and operability (or usability, if speaking from a customer’s perspective).

The post How to Enhance Security Without Affecting the Customer Experience appeared first on Security Boulevard.

Let’s examine why so many applications remain vulnerable despite high-severity warnings and how to minimize the threat to your organization.

The post The Urgency to Uplevel AppSec: Securing Your Organization’s Vulnerable Building Blocks appeared first on Security Boulevard.

The rate of cyberattacks is rising as the threat level continues to evolve, according to BlackBerry Limited’s latest Global Threat Intelligence Report.

The post Cyberattack Rate Surges as Novel Malware Growth Accelerates appeared first on Security Boulevard.

Mark Zuckerberg has criticized the notion of a singular, dominant AI in a new interview. He argued against the idea of AI technology being "hoarded" by one company, taking aim at unnamed competitors who he suggested view themselves as "creating God." Zuckerberg advocated for open-source AI development, emphasizing the need for diverse AI systems reflecting varied interests. He likened the future AI landscape to the current ecosystem of phone apps, content creators, and businesses, where no single entity dominates. Meta announced early U.S. tests of AI Studio, software enabling creators to build AI avatars for Instagram messaging. These AIs will be clearly labeled to avoid confusion. Zuckerberg stressed the importance of empowering many to experiment with AI, stating, "That's what culture is, right? It's not one group of people getting to dictate everything for people."

Read more of this story at Slashdot.

Researchers have identified three distinct nation-state campaigns leveraging advanced highly evasive and adaptive threat (HEAT) tactics.

The post Three Nation-State Campaigns Targeting Healthcare, Banking Discovered appeared first on Security Boulevard.

Cloud security has become a major focus for organizations worldwide as they battle with a growing number of data breaches and application sprawl that makes defense more complicated.

The post Cloud Security Tops Priority List for Organizations Globally appeared first on Security Boulevard.

Most organizations are uncertain about the effectiveness of their cybersecurity investments, despite increasing budgets and rampant cyber incidents, according to Optiv’s 2024 Threat and Risk Management Report.

The post Security Budgets Grow, but Inefficiencies Persist appeared first on Security Boulevard.

Read 30 remaining paragraphs | Comments

Threat actors can cover up their espionage activity by deploying ransomware or simply get some financial gain in the process.

The post Chinese APT Groups Use Ransomware to Hide Spying Activities appeared first on Security Boulevard.

30,000 websites at risk: Check yours ASAP! (800 Million Ostriches Can’t Be Wrong.)

The post WordPress Plugin Supply Chain Attack Gets Worse appeared first on Security Boulevard.

A report from the Government Accountability Office (GAO) highlighted an urgent need to address critical cybersecurity challenges facing the nation.

The post GAO Urges Action to Address Critical Cybersecurity Challenges Facing U.S. appeared first on Security Boulevard.

In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication (MFA) issues, according to the latest Cisco Talos report.

The post Misconfigured MFA Increasingly Targeted by Cybercriminals appeared first on Security Boulevard.

Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.

The post Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field) appeared first on Security Boulevard.

By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices.

The post EU Opens the App Store Gates: A Call to Arms for MDM Implementation appeared first on Security Boulevard.