22Sep 2021 by

Distroless Builds Are Now SLSA 2 (Google Online Security Blog)

Actualités, Sécurité
Posted by Priya Wadhwa and Appu Goundan, Google Open Source Security Team A few months ago we announced that we started signing all distroless images with cosign, which allows users to verify that they have the correct image before starting the build process. Signing our images was our first step towards fully securing the distroless supply chain. Since then, we’ve implemented even more accountability in our supply chain and are excited to announce that distroless builds have achieved SLSA 2. SLSA is a security framework for increasing supply chain security, and Level 2 ensures that the build service is tamper resistant. This means that in addition to a signature, each distroless image now has an associated signed provenance. This provenance is an in-toto attestation and includes information around how each…
Read More
21Sep 2021 by

An update on Memory Safety in Chrome (Google Online Security Blog)

Actualités, Sécurité
Adrian Taylor, Andrew Whalley, Dana Jansens and Nasko Oskov, Chrome security team Security is a cat-and-mouse game. As attackers innovate, browsers always have to mount new defenses to stay ahead, and Chrome has invested in ever-stronger multi-process architecture built on sandboxing and site isolation. Combined with fuzzing, these are still our primary lines of defense, but they are reaching their limits, and we can no longer solely rely on this strategy to defeat in-the-wild attacks. Last year, we showed that more than 70% of our severe security bugs are memory safety problems. That is, mistakes with pointers in the C or C++ languages which cause memory to be misinterpreted. This sounds like a problem! And, certainly, memory safety is an issue which needs to be taken seriously by the global…
Read More
21Sep 2021 by

Does Your Organization Have a Security.txt File? (Krebs on Security)

Actualités, Sécurité
It happens all the time: Organizations get hacked because there isn’t an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isn’t entirely clear who should get the report when remote access to an organization’s internal network is being sold in the cybercrime underground. In a bid to minimize these scenarios, a growing number of major companies are adopting “Security.txt,” a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences. An example of a security.txt file. Image: Securitytxt.org. The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place — such as example.com/security.txt, or example.com/.well-known/security.txt. What’s in the security.txt file varies somewhat, but most include links to information about the…
Read More
17Sep 2021 by

Trial Ends in Guilty Verdict for DDoS-for-Hire Boss (Krebs on Security)

Actualités, Sécurité
A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services. The user interface for Downthem[.]org. Prosecutors for the Central District of California charged Gatrel, 32, and his business partner Juan “Severon” Martinez of Pasadena, Calif. with operating two DDoS-for-hire or “booter” services — downthem[.]org and ampnode[.]com. Despite admitting to FBI agents that he ran these booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the…
Read More
16Sep 2021 by

Customer Care Giant TTEC Hit By Ransomware? (Krebs on Security)

Actualités, Sécurité
TTEC, [NASDAQ: TTEC], a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident that appears to be the result of a ransomware attack, KrebsOnSecurity has learned. While many companies have been laying off or furloughing workers in response to the Coronavirus pandemic, TTEC has been massively hiring. Formerly TeleTech Holdings Inc., Englewood, Co.-based TTEC now has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number of name-brand companies, like Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon. On Sept. 14, KrebsOnSecurity heard from a reader who passed on an internal message apparently…
Read More
15Sep 2021 by

Google Supports Open Source Technology Improvement Fund (Google Online Security Blog)

Actualités, Sécurité
Posted by Kaylin Trychon, Google Open Source Security Team  We recently pledged to provide $100 million to support third-party foundations that manage open source security priorities and help fix vulnerabilities. As part of this commitment, we are excited to announce our support of the Open Source Technology Improvement Fund (OSTIF) to improve security of eight open-source projects. Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open source ecosystem. The eight libraries, frameworks and apps that were selected for this round are those that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them. The projects include:Git - de facto version control software used in…
Read More
14Sep 2021 by

Microsoft Patch Tuesday, September 2021 Edition (Krebs on Security)

Actualités, Sécurité
Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software. Four of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user. Top of the critical heap is CVE-2021-40444, which affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and…
Read More
23Fév 2021 by

Smart cities : la prochaine étape des cybercriminels (JDN : Derniers contenus)

Actualités
Les innombrables avantages des villes intelligentes, à la fois durables et novatrices, reposent par définition sur une série d'appareils, de systèmes industriels, et d’objets interconnectés qui constituent dans leur ensemble une architecture IT complexe. Seulement, leur plus grande force, résidant dans leur capacité intrinsèque à s'interconnecter, peut également devenir leur plus grande faiblesse.  Imaginons un instant l'ampleur des dommages que des cybercriminels pourraient causer dans une ville entièrement connectée, reposant sur l'interopérabilité des systèmes. Un seul capteur peut fournir un point d'entrée, constituant ainsi une brèche pour atteindre l’ensemble du système. Si l’un des appareils ne dispose pas d'une sécurité suffisante ou si son certificat a expiré (ce qui, avouons-le, peut encore arriver), l'ensemble de la structure devient vulnérable aux attaques. Cette dernière peut alors subir des pannes momentanées affectant…
Read More
22Fév 2021 by

2010-2020 : les attaques de ransomware sont devenues mortelles (JDN : Derniers contenus)

Actualités
Ces dix dernières années, les cyberattaques sont devenues une menace majeure pour les entreprises et leurs données, mais pour les entreprises de secteurs critiques comme l’énergie ou la santé, il est devenu évident que l'impact d'une cyberattaque dépasse maintenant la simple perte de données. Un temps mort dans ces secteurs peut vite devenir synonyme de pertes en vies humaines ou d’accidents graves. Après dix ans d’attaques et d’évolutions, les cybercriminels ciblent maintenant les systèmes essentiels des entreprises en sollicitant des paiements en échange d'une clé de décryptage. Pour maximiser leurs chances, ils s’attaquent aux systèmes essentiels pour maintenir les entreprises en activité. Les secteurs clés de notre économie ont donc dû considérablement étendre et adapter leurs protocoles de protection et de sécurisation des données. Pour faire face à ces défis,…
Read More
19Fév 2021 by

De l’importance de bien savoir gérer les risques liés aux tiers (JDN : Derniers contenus)

Actualités
La règlementation actuelle se faisant de plus en plus stricte, notamment avec la loi Sapin 2 et le RGPD, ce risque n’est plus seulement technologique mais également légal et financier. Savoir gérer ces tiers, et les risques qu’ils font potentiellement peser sur votre entreprise est donc essentiel. Le risque cyber lié aux tiers : fuite de données, indisponibilité des services suite à une attaque par ransomware, espionnage industriel, est en augmentation depuis des années. L’externalisation de plus en plus importante des services de l’entreprise provoque des interconnexions plus fortes des systèmes d’information (SI) entre fournisseurs et clients. Le nombre de données partagées, dont certaines sont particulièrement sensibles, augmente et devient difficile à contrôler. Si les entreprises ont appris au fil des années à protéger leur SI, quand en est-il des tiers…
Read More