Industry News: ESG5

The Target: Peugeot, a France based automobile manufacturer.

The Take: Exposure of company sensitive data including: credentials to a MYSQL database, secure web tokens along with their passphrases and locations of keys, a link to the git repository for the website, and source code.

The Vector: Peugeot’s website based in Peru was hosting an unsecured environment file (.env), which contains credentials for other services used by the program, or website in this case, that the developers are working on. The logins stored here exposed credentials to a third-party software Peugeot used named Symphony, which could let attackers download session IDs and impersonate users.

This breach is a critical reminder to monitor, flag, and properly secure all publicly accessible files on a website, and to furthermore ensure these files are protected by passwords adhering to robust cybersecurity standards of complexity and length. This attack also shows how one exposure of a system can lead to a pivot into other systems. It’s essential to secure all public-facing websites.

Read more...

2023-04-26

TechCrunch: Lookout’s long-running transition to becoming an enterprise security company is all but complete, revealing today that it’s selling its consumer mobile security business to Finland’s F-Secure in a deal valued at around $223 million.

Read more...

2023-04-25

The Economic Times: The United States is sending more of its cyber forces abroad to help foreign governments fight hackers, a top US military official said at the RSA cybersecurity conference in San Francisco.

Read more...

2023-04-25

Business Wire: Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), will highlight new research and insights on stage at the 2023 RSA Conference. 

Read more...

2023-04-25

Crunchbase: Just as funding has sputtered to cybersecurity startups in recent quarters, the main exit avenue for startups and investors also has been narrowing.

Read more...

2023-04-25

Spiceworks: Last month, the Securities and Exchange Commission proposed sweeping cybersecurity regulations aimed at the finance sector to minimize cybersecurity risk, define incident response and public disclosure protocols, and more.

Read more...

2023-04-24

Forbes: As the founder of a nonprofit that focuses on cyber resilience, I often stress how important the dialogue is around assessing and analyzing a company's digital footprint, dark web exposure, leaked data and compromised credentials in real time. 

Read more...

2023-04-24

Yahoo Finance: According to Cybersecurity Ventures, global cybercrime will reach $10.5 trillion annually by 2025. Tackling this issue requires investment, and the report forecasts that cybersecurity revenues will reach $344 billion worldwide by 2030.

Read more...

The Target: Samsung, a South Korea based technology company.

The Take: Exposure of internal company documents including: meeting notes and sensitive source code.

The Vector: Samsung employees uploaded sensitive information to ChatGPT, an A.I chat service. ChatGPT takes information provided by users to better answer further questions in the future, and as such, the data uploaded will be provided to third-parties at any time without any controls or user authorization.  

This breach is a unique insight into how rapidly the A.I development is proceeding. It is critical that employees be aware of what such services are, and the risks involved. External services like ChatGPT takes information inputted with absolutely no accountability or oversight. Any data sent in this way can be considered open to the public.

Read more...