The past two years have brought about significant disruptions to global supply chains. Recent headlines have focused on labor shortages and their impact on everything from product production to shipping delays. However, another, more significant supply chain issue should be top of mind for every organization: supply chain attacks.

Jazzer, our fuzzer for the JVM, is already being used with several JVM languages like Java and Kotlin. Recently, a member of the community asked us whether Jazzer can also fuzz Clojure code. The answer is yes, but it wasn't obvious how to set things up. So we've built a small helper library, jazzer-clj, which contains everything you need to get started with Jazzer for Clojure. There's also an example project to demonstrate the setup.

On January 8, 2022, the open source maintainer of the wildly popular npm package colors, published colors@1.4.1 and colors@1.4.44-liberty-2 in which they intentionally introduced an offending commit that adds an infinite loop to the source code. The infinite loop is triggered and executed immediately upon initialization of the package’s source code, and would result in a Denial of Service (DoS) to any Node.js server using it.

Phishing emails are a serious problem for both businesses and consumers. Phishers use phishing emails to steal users’ personal information, like usernames, passwords, credit card numbers, social security numbers and other sensitive data.

Domain hijacking is the act of domain name theft. It can happen to individuals or organisations and it’s increasing in frequency. The name may be hijacked by someone else who passes themselves off as you, tricks your domain registrar into transferring your domain to them, or hacks into your account (sometimes through phishing) and transfers it themselves.

When the credentials are submitted for a user account logon request, audit events are generated by the operating system which is determined by the Audit Credential Validation. The events occur as follow: As in an enterprise environment, domain accounts are used more often than local accounts so most of the user logon requests are in the Domain Environment for which Domain Controllers have the authorization. So, the event volume is high on Domain Controllers and low on member servers and workstations.

Companies today face increasing pressure to implement strong cybersecurity controls. While the U.S. has no comprehensive cybersecurity law, many organizations still fall under state, international, or industry regulations. Two of the most prominent controlling publications are the General Data Protection Regulation (GDPR), and the ISO 27701 standard. One has the force of law, and the other is a guiding framework, respectively. Both of these documents apply to an increasing number of businesses.

One of the biggest problems with the IT / OT convergence in critical infrastructure is that much of the legacy hardware cannot simply be patched to an acceptable compliance level. Recently, Sean Tufts, the practice director for Industrial Control Systems (ICS) and Internet of Things (IoT) security at Optiv, offered his perspectives on where the industry has been, where it is going, and some of the progress being made to secure critical infrastructure.

Earlier this week, the FTC issued a warning to companies regarding the Log4j vulnerability. Given the rampant exploitation of the recently discovered vulnerabilities in this ubiquitous open source logging package, it’s encouraging to see the agency take this rare step, beginning to form a firm stance on software supply chain security. Although this increased scrutiny from the FTC may at first seem daunting, violations can be remediated with the right practices.

Creativity can be fickle. One day, your brain is full of bright ideas you’re keen to jot down, develop, and share with others. The next day, you have nothing. Zilch. Not even a flicker of an idea. You suddenly feel like a world-class restaurant that’s run out of ingredients.