Google has proposed a new framework to mitigate the growing risks posed by attacks on the software supply chain. The Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is designed to ensure the integrity of software artifacts across the entire supply chain. It’s based on Google’s own Binary Authorization for Borg framework, which the tech giant has been using as standard for all its production workloads for over eight years. “The goal of SLSA is…

Infosecurity Europe has announced that it is postponing the live event due to run at London Olympia in July, following the government’s delay in lifting the final COVID-19 restrictions. Infosecurity Europe will instead deliver a virtual exhibition and conference from 13-15 July 2021, the original dates of the event. The in-person event will now be held in 2022. The plan, before government restriction lifting was delayed, was to combine both live and online elements of Infosecurity…

Enterprising cyber-criminals have found a way to create convincing phishing emails which abuse Google Docs and Drive functionality to bypass security filters, according to Avanan. Researchers at the email security vendor claimed this is the first time such techniques have been used to piggyback on a popular service like Google’s. The email that victims receive contains what appears to be a legitimate Google Docs link, Avanan explained in a blog post. Clicking through takes the user to…

One of the world’s largest cruise ship operators has disclosed a data breach from mid-March, impacting an unspecified number of customers, employees, and crew. Carnival Corporation runs many of the globe’s leading cruise lines, including P&O, Cunard and Carnival Cruise Line. According to a data breach notification letter sent to customers and seen by Infosecurity, the firm detected unauthorized third-party access to a “limited number” of email accounts on March 19. “The impacted information includes data routinely…

The Cloud Permissions Gap exposes organizations to highly exploitable risk combined with the inability to implement and manage Zero Trust policies. By Raj Mallempati, CloudKnox Security COO In 2020, when organizations were prioritizing digital transformation so they could pivot to remote work on an unprecedented scale, Gartner added a new category to its 2020 Hype Cycle for Identity and Access Management Technologies called Cloud Infrastructure Entitlement Management (CIEM). CIEM? Looks a lot like SIEM. CIEM…

More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection. The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation.  Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed. Information that was left publicly accessible to anyone who knew how to look for it included customers’ search histories detailing their…

  To follow up on an earlier communication, PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents.

Written by Sean Lyngaas Jun 17, 2021 | CYBERSCOOP Days after Israel and Gaza-based militant group Hamas agreed to a ceasefire in May, Arabic-speaking hackers resumed an effort to break into government networks in the Middle East, according to research published Thursday. The hacking group, known as MoleRATs, sent target organizations a malware-laced PDF claiming to be a report on Hamas members meeting with the Syrian government, security firm Proofpoint said. The malicious code is…