Better app security cannot start with tools

There is a common trope in science fiction movies where robots start to think for themselves and launch a war with humans for control of Earth.

These storylines come from a familiar place. We continue to see robots, machines, and technological tools replace many traditional jobs requiring a human touch. Many industries, such as manufacturing, rely heavily on these devices, with automation a growing threat to the workforce.

Technological tools remain critical to software...

20 September 2022 | Development Tools

PyPI maintainers warn of ongoing phishing attack

The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.

A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:

The...

25 August 2022 | Hacking & Security

InAppBrowser tool reveals hidden JavaScript injections

A tool created by developer Felix Krause reveals hidden JavaScript injections through in-app browsers.

In-app browsers offer a convenient way for developers to let users browse specific websites without leaving their apps. However, they can be used to invade users’ privacy.

A JavaScript injection can be used via an in-app browser to collect data about users including their taps on a webpage, keyboard inputs, and more.

Armed with this data, a “digital...

19 August 2022 | Hacking & Security

PyPI package installs cryptominer on Linux systems

A malicious PyPI package was used to install a Monero cryptominer on Linux systems.

The package in question, secretslib, was pushed to the official third-party software repo for Python on 6th August 2022. The package was described as “secrets matching and verification made easy”.

Sonatype’s automated malware detection system flagged secretslib as potentially malicious. Further analysis proved its suspicions to be correct.

“The package covertly runs...

15 August 2022 | Hacking & Security

GitHub now sends Dependabot alerts for vulnerable Actions

GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.

GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.

When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted...

11 August 2022 | Git

Introducing OpenTDF: Open source, accessible security for developers

At Virtru, we believe that the ability to securely share data is essential — and that privacy is a human right that must be protected. It’s a mission we have stuck by since we started in 2011, and sees us supporting over 7,000 organisations worldwide to protect their most valuable asset, their data, with Zero-Trust security and powerful, granular policy controls that tie identity to data, everywhere it moves.

Now, Virtru is giving developers a new way to build security...

28 July 2022 | API

Source code for Rust-based malware leaks on hacking forums

The source code for an info-stealing malware based on Rust has leaked on hacking forums.

Security analysts claim the malware is actively used in attacks and it appears to have a high antivirus evasion rate. VirusTotal returns a detection rate of around 22 percent.

The developer claims to have developed the malware in just six hours. Despite being based on Rust, the malware currently only targets Windows machines.

Cybersecurity firm Cyble analysed the malware...

26 July 2022 | Hacking & Security

Web3 projects lost over $2B to hacks in H1 2022

A report from CertiK finds that web3 projects lost over $2 billion to hacks in H1 2022—more than all of 2021 combined.

“2022 is already the most expensive year for web3 by far. From these numbers, 2022 is forecast to see a 223% increase in the funds lost to attacks when compared with 2021,” wrote CeriK in their report.

CertiK’s sobering report highlights the difficulties of an industry that pitches itself as returning to the decentralised ideals of web1 while...

8 July 2022 | Blockchain

HackerOne employee disclosed vulnerabilities ‘for personal gain’ 

An employee of HackerOne was caught accessing security reports and disclosing vulnerabilities “for personal gain”.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.

Following a customer report of a suspicious vulnerability disclosure made outside of the HackerOne platform, the company decided to launch an investigation.

Jober Abma, Co-Founder of HackerOne,...

4 July 2022 | Hacking & Security

How cloud-based security is becoming more powerful thanks to open APIs

Security technology is essential to any successful business. In order to operate to your full potential, you need to feel secure that your data, people, and spaces are well protected.

With a robust commercial security system, you can feel safe knowing that your security team has a well-rounded view of your facility and employs the best technology to keep you and your most important assets safe.

In particular, cloud-based security tech is the new popular choice for many...

1 June 2022 | API