Travis CI Flaw Exposed Secrets From Public Repositories

Jeremy Kirk • September 15, 2021

Travis CI, a Berlin-based continuous integration testing vendor, has patched a serious flaw that exposed signing keys, API keys and access credentials, potentially putting thousands of organizations at risk. Those using Travis CI should change their secrets immediately.

Breach Notification

Ransomware Stopper: Mandatory Ransom Payment Disclosure

Latest

CISO Trainings

Profiles in Leadership: Tim Nedyalkov, Commonwealth Bank

Jeremy Kirk • September 16, 2021

Cloud-based services are affecting governance, risk management and compliance practices in Australia, says Tim Nedyalkov, who is a technology information security officer with Commonwealth Bank. He discusses the differences between how managers and practitioners approach the problems.

Blockchain & Cryptocurrency

New York Court Shuts Down Crypto Platform 'Coinseed'

Dan Gunderman • September 15, 2021

New York officials won a court order shuttering cryptocurrency trading platform Coinseed, after it allegedly defrauded thousands of investors out of millions of dollars, according to State Attorney General Letitia James. The court also awarded a $3 million judgment against Coinseed and its CEO.

Business Continuity Management / Disaster Recovery

House Committees Seek to Spend Millions on Cybersecurity

Scott Ferguson • September 15, 2021

A pair of House committees this week said they want to spend additional millions on cybersecurity by injecting funds into CISA and the FTC, as part of the debate over the Biden administration's $3.5 trillion budget proposal for 2022. Part of the money would help fulfill Biden's executive order.

Critical Infrastructure Security

Lawsuit: Health System Failed to Heed Ransomware Warnings

Marianne Kolbasuk McGee • September 15, 2021

A proposed class action lawsuit filed this week against St. Joseph's/Candler Health System in the wake of a recent ransomware breach affecting 1.4 million individuals alleges that the Georgia-based healthcare entity was "reckless" and "negligent" in safeguarding patients' information.

Cybercrime

Former US Intelligence Officers Spied on US for UAE

Prajeet Nair • September 15, 2021

Three former U.S. Intelligence Community and military personnel have agreed to pay more than $1.68 million to settle federal charges for providing hacking-related services to the United Arab Emirates, according to the U.S. Department of Justice.

Access Management

Microsoft Fully Ditches the Password

Doug Olenick • September 15, 2021

Microsoft has officially gone fully passwordless, allowing Windows users to replace their alphanumeric passwords with one of several substitute sign-in technologies to gain entry into a Microsoft product - a move received positively by industry insiders.

Critical Infrastructure Security

Russia Has Taken No Action to Combat Ransomware, FBI Says

Mathew J. Schwartz • September 15, 2021

Senior U.S. officials say that there have been no signs that Moscow has begun to crack down on ransomware-wielding criminals operating from inside Russia's borders. President Biden has called on Russia to act responsibly, and U.S. intelligence has been sharing information on top suspects.

Application Security

Microsoft Patches MSHTML Vulnerability

Doug Olenick • September 14, 2021

Microsoft's September Patch Tuesday security update covers 61 vulnerabilities, with four rated critical. These include a fix for the critical MSHTML Vulnerability Microsoft revealed last week and patches to a Windows scripting engine flaw and a Windows DNS flaw.

3rd Party Risk Management

Researchers: 61M Health IoT Device User Records Exposed

Marianne Kolbasuk McGee • September 14, 2021

An unsecured database belonging to an apparently recently defunct firm exposed 61 million records of wearable health and fitness device users on the internet, say the security researchers who discovered the non-password-protected database in cooperation with the WebsitePlanet research team.

Blockchain & Cryptocurrency

SEC Chair Pushes for Additional Cryptocurrency Regulations

Dan Gunderman • September 14, 2021

U.S. SEC Chair Gary Gensler testified before the Senate on Tuesday and again called for comprehensive cryptocurrency regulations, citing a need to reduce cybersecurity risks, other market risks, and criminal efforts to defraud investors, while simultaneously advancing the space.

Breach Notification

Clinic: EHR Data Too Damaged to Recover Post-Attack

Marianne Kolbasuk McGee • September 14, 2021

An Arizona-based family medical practice says it is attempting to reconstruct thousands of patients' electronic health records following a May ransomware attack that badly corrupted the records as well as backup data.

Application Security

New York Vaccine Passport App Stored Forged Credentials

Dan Gunderman • September 14, 2021

A recently patched flaw in a mobile app allowing N.Y. residents to acquire and store a COVID-19 vaccine credential did not validate user input properly and stored forged verifications, according to security researchers. Experts say similar flaws could have dire consequences.