Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture

The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it...

New subcontractor can be set for a SCConfirmed task without current subcontractor consent

Lines of code Vulnerability details Malicious builder/contractor can change the subcontractor for any task even if all the terms was agreed upon and work was started/finished, but the task wasn't set to completed yet, i.e. it's SCConfirmed, getAlertstaskID2 == true. This condition is not checked ...

Anyone can create disputes if contractor is not set

Lines of code Vulnerability details Impact Disputes enable an actor to arbitrate & potentially enforce requested state changes. However, the current implementation does not properly implement authorization, thus anyone is able to create disputes and spam the system with invalid disputes. Proof of...

It should never be possible to change the status of a completed task

Lines of code Vulnerability details High Risk Finding Impact In Project.sol, once a task is set as completed by calling function setComplete, the contract pays the subcontractor. Once in this state, in should not be possible to change the task state back to ACTIVE/INACTIVE, because then the same...

REvil Hits US Nuclear Weapons Contractor: Report

Sol Oriens, a subcontractor for the U.S. Department of Energy DOE that works on nuclear weapons with the National Nuclear Security Administration NNSA, last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service RaaS gang. The Albuquerque, N.M...

A week in security (June 10 – 16)

Last week on Malwarebytes Labs, we revealed to readers the mindset of security pros as to why they lack confidence in their ability to prevent their organizations getting breached. We also reported on Maine Governor Janet Mills implementing the state’s own privacy protections, how Apple can bette...

Data Breach Exposes 100K U.S. Traveler Photos, License Plates

UPDATE The U.S. Customs and Border Protection said that a recent data breach exposed photos of the faces and license plates for more than 100,000 travelers driving in and out of the country. The department said Monday that the breach stemmed from an attack on a federal subcontractor. Customs and...

Pentagon Subcontractor Inadvertently Leaks 11 Gigs of Sensitive Data

A slew of sensitive data pertaining to psychologists, doctors and other healthcare professionals involved with an arm of the U.S. Department of Defense was recently left unsecured online. Chris Vickery, a security researcher with MacKeeper who has stumbled across unsecured internal databases...

New Study Sees Need for Better Software Integrity Controls

Software security has become one of the more widely discussed and debated topics in the security industry in the last few years, as many software vendors and enterprises both large and small have begun to to focus considerable attention on improving the processes they have in place for producing...