GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. "Customers should also continue to monitor Heroku an...

Reduce Risk from Insider Threats Using Imperva Data Security Fabric

The definition of insider threats is as broad as the risks it represents. While insider threats may originate from negligent or malicious employees, they can also be external cybercriminals who bypassed perimeter controls using a compromised user account. No matter the source, or motivation,...

The vulnerability of the filter16_prewitt function in the libavfilter/vf_convolution.c component of the FFmpeg multimedia library allows a perpetrator to access confidential data, compromise its integrity, and cause service failures.

The vulnerability of the filter16prewitt function in the libavfilter/vfconvolution.c component of the FFmpeg multimedia library is related to integer overflow. Exploiting this vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause service failures...

Why Customers Asked us for a Data Security Fabric (Even When They Didn’t Know to ask for it by Name)

Our journey to the data security fabric started a while back when we built the industry’s first data security platform based on what customers said they needed and working with customers as design partners. The concept of a software platform has been around for a long time. Like all platforms, we...

The vulnerability of the Web Access component of the Primavera Portfolio Management software allows a malicious individual to gain unauthorized access to read, modify, or delete data.

The vulnerability of the Web Access component of Primavera Portfolio Management, a software solution for automating production process management, is related to insufficient verification of input data. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized...

CVE-2021-32977

CVE-2021-32977 affects AVEVA System Platform versions 2017–2020 R2 P01 and describes improper verification of the cryptographic signature for data. Connected sources corroborate the issue and note the vulnerability’s CVSS context (e.g., CVSS v3 base 7.2 in ICS updates) and that exploitation is no...

A Bridge Over the Chasm: A Primer on the Release of PCI 4.0

The Payment Card Industry PCI Security Standards Council SSC has just released version 4.0 of the Data Security Standard DSS. Developing DSS 4.0 took almost four years and included several rounds of Request for Comments RFC from Participating Organizations and other interested parties. This new...

Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill

On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S. Senates most tech-savvy lawmakers said he was trouble...

On the Radar: Is 2022 the year encryption is doomed?

By Martin Lee. Quantum technology in development by the world’s superpowers will render many current encryption algorithms obsolete overnight. When it becomes available, whoever controls this technology will be able to read almost any encrypted data or message they wish. Organizations need... Thi...

CVE-2021-22572

CVE-2021-22572 concerns a data disclosure in Unix-like environments where the system temporary directory is shared among users. The root cause is that File.createTempFile creates files in the system tmp directory with world-readable permissions, allowing any local user to view sensitive data writ...

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”

There is a terrifying and highly effective "method" that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government...

Synology DiskStation Manager Information Disclosure Vulnerability (CNVD-2022-67834)

Synology DiskStation Manager DSM is an operating system for use on Network Storage Servers NAS from Synology Inc. of Taiwan, China. This operating system manages information such as data, files, photos, music, and more. An information disclosure vulnerability exists in Synology DiskStation Manage...

McAfee Enterprise ePolicy Orchestrator SQL Injection Vulnerability

McAfee Epolicy Orchestrator McAfee Epo is a U.S. based solution for managing endpoint, network, data security, and compliance. a SQL injection vulnerability exists in versions of McAfee Enterprise ePolicy Orchestrator prior to 5.10 Update 13. The vulnerability stems from the application's lack of...

IBM Security Guardium Insights Information Disclosure Vulnerability (CNVD-2022-60422)

IBM Security Guardium Insights is a set of data security solutions from IBM Corporation in the United States. The product supports data analysis, threat alerts, data security auditing and local data monitoring. IBM Security Guardium Insights has an information leakage vulnerability that could be...

How to use the Gartner® 2022 Strategic Roadmap for Data Security Platform Convergence

“It is not the strongest species that survive, nor the most intelligent, but the ones most responsive to change.” – Charles Darwin Evolution and innovation form the basis of most modern business mission statements. However, the same organizations pursuing growth and change often do not put...

Clouding the issue: what cloud threats lie in wait in 2022?

As more services move ever cloud-wards, so too do thoughts by attackers as to how best exploit them. With all that juicy data sitting on someone else’s servers, it’s essential that they run a tight ship. You’re offloading some of your responsibility onto a third party, and sometimes things can go...

By the Numbers: The Cost of Insider Data Breach vs The Cost of Protection

The global business data security landscape has become dramatically more challenging over the last few years. One of the main reasons for this is insider threats, as reported in the 2022 Cost of Insider Threats Global Report, independently conducted by The Ponemon Institute. Several factors have...

CVE-2022-22353

CVE-2022-22353 affects IBM Big SQL on IBM Cloud Pak for Data (versions 7.1.1; 7.2.0–7.2.3) where a authenticated user with appropriate privileges can bypass data masking rules via CREATE TABLE AS/SELECT, resulting in leakage of sensitive data. The IBM Security Bulletin notes a software defect: da...

Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE

It wasn’t long ago that medical devices were isolated and unconnected, but the rise of IoT has brought real computing power to the network edge. Today, medical devices are transforming into interconnected, smart assistants with decision-making capabilities. Any device in a medical setting must be...

CVE-2022-25511

FreeTAKServer-UI v1.9.8 contains a path traversal vulnerability in the ?filename= parameter of the /DataPackageTable route that can allow attackers to place arbitrary files on the system. This is documented across multiple sources (CVE-2022-25511 and related advisories). The exact root cause is n...