Data Safety and Information Security

Examining considerations for safer and more resilient software repositories.

In the case of information security, we need to ask, “What, exactly, are we trying to protect?” Don MacVittie explains.

Barcodes and QR codes feel like they’re everywhere nowadays, but they don’t have to be. Scientists at MIT have developed an invisible tagging system called BrightMarker, which embeds fluorescent tags into objects that can be viewed and tracked through an infrared camera.

In large metropolitan areas, tourists are often easy to spot because they're far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions…

Some best practices and important defenses to prevent common attacks against GitHub Actions that are enabled by stolen personal access tokens, compromised accounts, or compromised GitHub sessions.

Open Software Supply Chain Attack Reference, an open source framework, provides actionable insights into attacker behaviors and techniques.

Trellix bods say it's not that hard to do, thanks to these vulnerabilities

Foolish Kubernetes misconfigurations continue to lead to major security foul-ups.

Scientists successfully taught advanced neural network sophisticated Darknet slang recognition capabilities

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects…

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service…

We’re in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and Bluesky are mindful of past...

Developers and security teams should work together toward a scalable, flexible, multilayered approach for any type of workload in any environment.

This memo contains the thoughts and recountings of events that transpired during and after the release of information about the United States National Security Agency (NSA) by Edward Snowden in 2013. There are four perspectives: that of someone who was involved with sifting through the information to responsibly inform the public, that of a security area director of the IETF, that of a human rights expert, and that of a computer science and affiliate law professor. The purpose of this memo is to provide some historical perspective, while at the same time offering a view as to what security and privacy challenges the technical community should consider. These essays do not represent a consensus view, but that of the individual authors.

Please choose a password

175+ Cybersecurity Misconceptions and the Myth-Busting Skills You Need to Correct ThemCybersecurity is fraught with hidden and unsuspected dangers and difficulties. Despite our best intentions, there are common and avoidable mistakes that arise from folk wisdom, faulty assumptions about the world, and our own human biases. Cybersecurity implementations, investigations, and research all suffer as a result.

Integrating security solutions into DevOps toolchains will take effort, but once in place they will enhance application security.

Authorization is the largest vulnerability area that is not protected well and represents the biggest current risk for API security.

BrutePrint requires just $15 of equipment and a little amount of time with a phone.

(Editor's note: This article contains plot spoilers.) Society's understanding of technology and cybersecurity often is based on simple stereotypes and sensational portrayals in the entertainment media. I've written about how certain scenarios are entertaining but misleading. Think of black-clad teenage hackers prowling megacities challenging corporate villains. Or think of counterintelligence specialists repositioning a satellite from the back of a surveillance van via a phone call.

Code scanning detects ReDoS vulnerabilities automatically, but fixing them isn’t always easy. This blog post describes a 4-step strategy for fixing ReDoS bugs.

Security best practices have emerged, including those for cloud native deployments. However, that remains a work in progress.

Pipeline controls can only ensure security and compliance for changes that have gone through the pipeline. They don't account for "dark deploys" from bad actors who access production by going around the golden path.

Last week's IIW was great with many high intensity discussions of identity by people from across the globe.

ETHOS is the OT-centric, open-source platform for sharing anonymous early warning threat information.