Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The 2021 Log4Shell incident cast a bright light on open source software security — and especially on supply chain security. The 18 months following the incident brought a greater focus on open source software security than at any time in history. Organizations like the OpenSSF, AlphaOmega, and large technology companies are putting considerable resources towards tooling and education. But is open source software security actually improving? And where are efforts still falling short?

On July 24th, 2023, Ivanti released a security advisory detailing a remote authentication bypass vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile. This vulnerability, with a CVSS score of 10, allows unauthenticated access to specific API paths, which could allow a threat actor to obtain personal identifiable information (PII) such as names, phone numbers, and other mobile device details.

Since the fallout of Conti ransomware in mid-2022, Conti-affiliated threat actors have splintered off and developed or joined other ransomware groups to continue extorting victim organizations. Due to Conti’s source code being leaked, attribution back to the Conti ransomware group via code overlap is much more difficult. However, leveraging blockchain analysis, we can begin to discern what ransomware groups Conti-affiliated threat actors have worked with; one such group is Akira.

We recently shared that we’ll soon be rolling out a privacy-preserving telemetry system that will help us improve 1Password by leveraging aggregated, de-identified usage data. Here we’ll share technical details about how this system works and the steps we’ve taken to protect customer privacy while engaging with the resulting data.

Bots have become integral to our lives, offering many benefits across various industries. Of all these bots, there are good bots, bots for telling dad jokes and (significantly less cool) bots focused on distributing malware. Understanding the types of bots out there should help you harness the power of good bots while helping you identify bots to avoid. This article will explore all types of bots, empowering you to make informed decisions and reap the rewards while keeping risks at bay.

HTTP Strict Transport Security (HSTS) plays an important role in web security — ensuring secure communication between websites and the web browsers of users. Read on to learn about the importance of HSTS, key features such as HSTS preloading, the threats that HSTS can mitigate, and some of the limitations of the protocol.

If you’ve been following our series on the PEAK threat hunting framework, you might already know that the purpose of threat hunting isn’t just to find security incidents your automated detection systems missed. Finding incidents is more like a helpful side effect. The real reason to hunt is to drive improvement to your security posture over time.

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) voted to adopt new cybersecurity requirements for publicly traded companies, creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cybersecurity risk management, expertise, and governance. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.

Have you ever wondered why PIN pads at grocery stores often have a protective shield surrounding the buttons? It’s to prevent an attack called “shoulder surfing.” Shoulder surfing is a method of information theft in which the perpetrator watches the victim from nearby to see any information they type or view on their screens. Keep reading to learn why shoulder surfing is a threat to cybersecurity and how to protect your private information from this form of attack.

Social engineering has long been a popular tactic among cybercriminals. Relying exclusively on information security tools does not guarantee the safety of an IT infrastructure these days. It is critically important to enhance the knowledge of employees regarding information security threats. Specifically, there is often a pressing need to educate employees about phishing. But how could phishing awareness training go wrong, and what can be done about it?