Some of the biggest names in the tech industry signed onto a public pledge, backed by the US Cybersecurity and Infrastructure Security Agency, promising to implement important software security measures in their products. The CISA “Secure By Design” pledge outlines seven areas in which signatories are expected to make significant improvements. Multifactor authentication should be used by default, default passwords should be randomized or mandatorily changed on first use, and SQL injection attacks should be eliminated by, for example, enforcing parametrized queries. The pledge also asks signe ..read more

Google released a Chrome stable update Thursday to patch a high-risk severity vulnerability that was being exploited in the wild, the second zero-day to be patched in Chrome this year. The vulnerability, tracked as CVE-2024-4671, is described as a use-after-free memory bug in the browser’s Visual component. Details about the vulnerability are still restricted to public view, but the company said it is aware that an exploit for the flaw exists in the wild. The Chrome developers credited an anonymous third party with reporting the security issue on May 7. The vulnerability was patched two days ..read more

Dell Technologies has sent out emails to its customers, warning them of a data breach that potentially exposed the information of approximately 49 million customers. The emails come days after a threat actor called Menelik claimed the breach on BreachForums and offered to sell “data for 49 million customers and other information systems purchased from Dell between 2017-2024.” “We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell,” Dell said in the email. The type of information ..read more

Recent legal actions against top cybersecurity professionals have sent shockwaves through the information security community in recent years, sparking fear and uncertainty over whether decisions made during the chaos of cybersecurity incidents could end up costing IT security leaders their jobs, financial security, or even freedom. In the most prominent case, Joe Sullivan, former CISO for Uber, was sentenced in 2023 to serve a three-year term of probation and ordered to pay a fine of $50,000 after a jury found him guilty on charges of obstructing an official proceeding and a failure to repor ..read more

CIO, CSO and CISO, IT Leadership ..read more

In response to the rumors of a threat actor hacking and selling access to its systems, Zscaler said it has taken a “test environment” offline for analysis which was found to be exposed. “Our investigation discovered an isolated test environment on a single server (without any customer data) which was exposed to the internet,” Zscaler confirmed in a May 8 update on Zscaler’s Trust site. “Zscaler can confirm there is no impact or compromise to iproduction,r, production and corporate environments.” In an earlier post, the company said it had initiated an investigation immediately after learning ..read more

Palo Alto Networks has launched a new suite of security solutions designed to help enterprises combat AI-generated cyberthreats. The suite is powered by its proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies, the company said in a statement. Precision AI is integrated into Palo Alto’s platforms, including Strata, Prisma, and Cortex. This will enable enterprises to use AI to defend against AI-powered cyberattacks, streamlining the process and fortifying the security ecosystem, the company said. “Platformization is the approach ..read more

Multi-cloud application security and delivery company F5 has fixed two high-risk vulnerabilities in BIG-IP Next Central Manager, the central component used to manage BIG-IP Next load balancers and app security instances running on-premises or in the cloud. According to the researchers who found them, the flaws could potentially be used to gain full administrative control on affected devices by leaking admin password hashes and then cracking them offline. “These weaknesses can be used in a variety of potential attack paths,” researchers from security firm Eclypsium said in a blog post. “At a ..read more

A suspected Chinese hack that exposed the payroll records of 270,000 members of the British armed services was connected to the “potential failings” of a government contractor, UK defence secretary Grant Shapps has told the British Parliament. News of the incident became public on May 7, when government sources briefed journalists about a major hack of the Ministry of Defence (MOD) allegedly conducted by the Chinese state. The data put at risk included the names and bank details of current, reservist and retired members of the Royal Navy, Army, and Royal Air Force. A small but unconfirmed nu ..read more

A massive security hole in virtual private networks (VPN) reported this week highlights the fact that they were never intended to fulfil a security function despite widespread use as a defensive feature, according to security experts. The VPN security hole vulnerability, which cannot be patched or meaningfully negated, was reported in a blog post by the Leviathan Security Group. It outlines a methodology dubbed Tunnelvision that attackers can use to divert the data within the VPN to a place where data on the network can be read in clear text.  What makes the hole more dangerous is that ..read more