Author: Josh Breaker-rolfe

bp Launchpad, the in-house business accelerator for bp, has selected Salt Security as its technology solution for API security. 

The business accelerator aims to strengthen energy resilience by aiding in the growth of global startup companies within the renewable energy sector. The companies involved are digitally-led and help deliver cleaner, more affordable, and reliable energy.

bp Launchpad supports its associates by sharing its expertise, including in building technology infrastructure, across multiple business functions. Technology solutions are provided in an attempt to bolster capabilities and drive growth.

Tom Salmon, Head of Cyber for bp Launchpad, recognised immediately the importance of API security for their startup companies. These digital business are all dependent on APIs as the foundation for their applications and services.

“If an attacker exploits a Broken Object-Level Authorization (BOLA) flaw to manipulate API requests and alters an energy device, if they make a change to an asset that they shouldn’t have access to, that has real human impact – physical, real-world impact – and that’s our biggest concern,” Salmon said.

BOLA flaws occur when API calls include an identifier of a resource and the API grants access to that resource without checking caller permissions.

Tom and bp Launchpad recognise the risks inherent with APIs: 

“We work alongside several digital companies going through a transformation to utilising hardware and other physical tech. The connectivity and data sharing core to their business requires data to pass through a central control, which poses a huge threat. If an attacker were to breach the central control they could cause significant disruption to business function.”

Companies are increasingly recognising that dedicated API security is critical to securing platform services. Gartner reinforced this last year when, for the first time, it added a separate pillar for API discovery and protection to its security reference architecture.

As the API attack surface expands, companies need more context to provide adequate protection. Tom believes that security teams have an obligation to provide solutions that reduce risk without complicating processes or slowing down business processes. Security is responsible for giving cross-functional teams the answers and dedicated solutions that make it easy to deploy and detect the growing number of APIs.

The post Salt Security Helps bpLaunchpad Reimagine energy by Enabling API Based Innovation appeared first on IT Security Guru.

Crossword Cybersecurity Plc has released a report highlighting anxieties surrounding security strategies soon growing outdated.

Over 200 CISOS and senior cybersecurity professionals were surveyed.

Key findings include:

  • 40% of respondents expect their current cybersecurity strategy be outdated in the next two years.
  • A further 37% expected their current cybersecurity strategy be outdated in the next three years
  • 61.4% were “fairly confident” in their ability to prevent cyber attacks
  • 44% said they had the means necessary to protect their organisation from immediate and mid-term risk.

“Boards must make sure CISOs have the budget necessary to get short-term issues under control and then begin planning a long-term business-wide strategy. Such a strategy should be supported by a standard operating model with robust processes and policies for the company’s entire supply chain. Every month of delay leaves businesses open to potentially crippling cyber-attacks,” stated Stuart Jubb, Group Managing Director at Crossword Cybersecurity plc, in a press release.

The post Security pros believe cybersecurity strategies will soon be obsolete appeared first on IT Security Guru.

Uncategorized

Insider threats were responsible for 68% of data breaches at UK law firms, according to new research from the Information Commissioner’s Office (ICO).

ICO Data from Q3 2021 was analysed by NetDocuments found that only 32% of breaches in the legal sector were caused by outside threats.

Other key findings include:

  • 54% of data breaches were due to human error
  • 52% of breaches occurred from employees sharing data with the wrong person
  • 10% of incidents were attributed to data loss

 

 

The post Insider threats caused 68% of legal sector breaches appeared first on IT Security Guru.

DuckDuckGo, a privacy focused web browser, has come under fire for allowing Microsoft trackers on third-party sites as part of their syndicated search content contract with the company.

The search engine takes pride in not tracking user searches or behaviour, and not building user profiles to display targeting advertising, instead using contextual advertisements from their partners.

While DuckDuckGo does not store personal identifiers, Microsoft advertising can track your IP address, among other information, when clicking you click on an ad link.

The post Privacy focused browser allows Microsoft trackers appeared first on IT Security Guru.

A new report from the United States Senate Committee on Homeland Security & Governmental Affairs has revealed that the US government lacks comprehensive data on ransomware attacks.

Notably, the report shows that authorities are largely in the dark as to how much is lost in ransom payments.

The report is the culmination of a 10-month investigation into ransomware. It cites FBI statistics that reveal the agency received 3729 ransomware complaints with relative losses upwards of $49.2m. The report stated, however, that these figures “likely drastically underestimate the actual number of attacks and ransom payments made by victims and related losses.”

 

 

 

The post US government lacks ransomware data appeared first on IT Security Guru.

US automobile behemoth General Motors (GM) has confirmed that it suffered a credential stuffing attack last month.

GM said that it detected malicious login activity between April 11-29 2022, resulting in the exposure of customer information and allowing hackers to redeem gift card reward points.

GM sent a data breach notification to affected customers, saying:

“We are writing to follow-up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization.”

In a separate data breach notification, GM speculated on the cause of the attack:

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

 

The post Cyberattack on General Motors exposes customer data appeared first on IT Security Guru.

Clearview AI has been fined by the UK’s Information Commissioner’s Office (ICO) for breaking UK data protection laws.

The £7.5m fine is a huge reduction from the £17m the ICO initially planned to fine the web-based intelligence platform in November 2021. The initial fine was proposed following a joint investigation conducted in accordance with the Australian Privacy Act and the UK Data Protection Act 2018.

The company has been punished for building an online database of over 20 billion images of people’s faces and data from publicly available information sources online. It did not inform any of said individuals that their data was being collected or used.

Clearview AI has also been forced to stop collecting and delete existing data.

The post Clearview AI fined £7.5m for harvesting data appeared first on IT Security Guru.

A minimum of two research institutes in Russia and third likely in Belarus have suffered an espionage attack carried out by a Chinese nation-state advanced persistent threat grout (APT). 

Codenamed “Twisted Panda,” the attacks come in the wake of Russia’s military invasion of Ukraine, an event that has prompted many threat actors to switch tactics and stage opportunistic attacks.

Check Point, an Israeli cybersecurity firm, disclosed details of the latest intelligence-gathering operation, attributing it to a Chinese threat actor.

The cybersecurity firm described the attacks as “a long-running espionage operation against Russian-related entities that has been in operation since at least June 2021,” most recent traces of the activity is said to have been observed as recently as April 2022.

The post Chinese hackers caught spying on Russian defence institutes appeared first on IT Security Guru.

Deep fakes depicting videos of Elon Musk and other prominent figures in the cryptocurrency scene are promoting a BitVex trading platform scam that steals deposited currency.

The spoof BitVex crypto trading platform claims to be owned by Tesla CEO Elon Musk, saying in the deep fake that he created the site to allow investors to earn up to 30% returns on cryptocurrency deposits.

The videos are created by modifying legitimate interviews with deep fake technology to the crypto-advocate’s voice in a script supplied by the scammers.

 

The post Cryptocurrency scammers use Elon Musk deep fake appeared first on IT Security Guru.

Conti ransomware gang has shut down their operation, taking infrastructure offline and informing team leaders that the brand ceases to exist.

Yelisey Boguslavskiy, head of research at Advanced Intel, tweeted yesterday that the gang’s internal infrastructure had been switched off.

Although public-facing ransom negotiation sites and the “Conti News” data leak are still online, Boguslavskiy told BleepingComputer that Tor admin panels are no longer online.

 

The post Conti ransomware group disbands appeared first on IT Security Guru.