#authentication

#authentication

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised the alarm on a recent PaperCut vulnerability being exploited in ransomware attacks targeting the education sector.Described as an improper access control issue in the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the flaw allows remote, unauthenticated attackers to bypass authentication and execute arbitrary code on vulnerable devices, with System privileges.

GitLab Dedicated, a fully isolated, single-tenant SaaS edition of the GitLab devsecops platform, is now generally available.The service is hosted and managed by GitLab and deployed on Amazon Web Services.Launched June 15, GitLab Dedicated is geared to users with strict compliance requirements such as isolation, data residency, and private networking.

Backend developers often apply some common tasks to the requests that our service receives.Some of these tasks are applied before fulfilling the request, like authentication and authorization.Others are applied after the request is processed, but just before the response is sent, such as a log of the resource accessed.

As the founder of Cerbos, I have first-hand experience with the challenges that CTOs face when building software solutions that meet immediate requirements while also future-proofing their infrastructure.This balancing act becomes particularly challenging when addressing complex authorization requirements in enterprise settings, which is why there are significant benefits to building the correct solution early on.

In today's fast-paced software development world, the DevOps approach is becoming increasingly popular due to its ability to integrate development and operations teams and facilitate the continuous delivery of software products.However, with the rise of DevOps, the importance of security automation in the development process has also increased.

"A robot may not injure a human being or, through inaction, allow a human being to come to harm."Turns out the Bing AI is bizarre and that is making quite the waves at the moment.In essence, the Bing version of ChatGPT has the capability of performing internet searches and as a result will feed some extra data into itself.

Stavvy, a fintech company specializing in digital and remote collaboration for lending and real estate companies, announced on Wednesday a new partnership with WFG National Title Insurance Company (WFG) to provide the company and its customers with eClosing technology solutions."Stavvy is incredibly excited to work with WFG to bring innovative eClosing solutions to the masses," said Kosta Ligris, Founder and CEO of Stavvy.

Cisco on Wednesday announced updates for endpoint, cloud, and web security products to address a critical vulnerability in third-party scanning library ClamAV.An open-source cross-platform antimalware toolkit, ClamAV can detect trojans, viruses, and other types of malware.On February 15, ClamAV's maintainers announced critical patches that address two vulnerabilities in the library, the most severe of which could lead to remote code execution.

A smart intercom product made by Chinese company Akuvox is affected by more than a dozen vulnerabilities, including potentially serious flaws that can be exploited for spying.The vulnerabilities were discovered by researchers at industrial and IoT cybersecurity firm Claroty.The company - along with CISA and CERT/CC - has attempted to report the findings to the vendor over the past year, but without success, and the security holes remain unpatched.

Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.The vulnerabilities both carry severity ratings of 9.8 out of a possible 10 and reside in two unrelated products crucial in securing large networks.

The Akuvox E11 is billed as a video door phone, but it's actually much more than that.The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time.The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can't see for various reasons.

Microsoft's threat intelligence team is blaming a "Russian-based threat actor" for newly disclosed in-the-wild attacks targeting a critical vulnerability in its flagship Microsoft Outlook software.One day after sounding an alarm for live exploitation of the Outlook security flaw, Microsoft said it traced the exploit to a Russian APT targeting a limited number of organizations in government, transportation, energy, and military sectors in Europe.

Cybersecurity firm CrowdStrike warns of a Dero cryptojacking operation infecting Kubernetes clusters that are also being targeted by a Monero cryptojacking campaign.Dero is a cryptocurrency that uses directed acyclic graph (DAG) technology, claiming to provide users with complete transactional anonymity, increased privacy, and a higher reward ratio compared to Monero.

As countries around the world pressure Apple to ditch its proprietary Lightning Port and adopt the USB-C port instead, Apple seems to have tricks up its sleeve.While the European Union and the Indian government have introduced rules to make USB-C connectors mandatory for portable devices, including iPhones, as a means to make charging standards universal, Apple is reportedly working on making the USB-C port exclusive to its Apple ecosystem by bringing in limitations similar to its Lightning Port.

We should closely monitor the state of tests in our NestJS application.In a few previous parts of this series, we've used Docker and GitHub actions to design a CI/CD pipeline that automates our deployments.In this article, we avoid deploying faulty code by running unit tests before each pull request automatically.

NurPhoto via Getty Images
Twitter announced plans to pull a popular method of two-factor authentication for non-paying customers last week.Not only could this make your account more vulnerable to attack, but it may even undermine the platform's security as a whole and set a dangerous precedent for other sites.

Cybersecurity company Fortinet this week announced patches for multiple severe vulnerabilities across its product portfolio, including a critical flaw in FortiOS and FortiProxy that could lead to remote code execution (RCE).Tracked as CVE-2023-25610 (CVSS score of 9.3), the issue impacts the administrative interface of the affected products and can be exploited without authentication, either for code execution or to cause a denial-of-service (DoS) condition, via crafted requests.