Month: April 2024

The MITRE Corporation revealed on April 19, 2024 that a nation-state actor compromised its systems in January 2024 by exploiting two Ivanti VPN zero-days vulnerabilities. According to a statement made by MITRE, after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed. In response, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and launched an investigation.

MITRE is a US non-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various US government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others. In March 2021, MITRE created the MITRE ATT&CK Defender training program to educate and certify cybersecurity professionals.

Read more about it here.

Google has agreed to delete billions of data records related to users’ browsing activities in ‘Incognito Mode’, to settle a class action lawsuit. The class action lawsuit, filed in 2020, accuses the company of collecting user browsing data without their knowledge or explicit consent. It alleges that the IT giant deceived users, leading them to believe their online activities would not be tracked while using Chrome’s Incognito mode.

In December 2023, Google agreed to settle the $5 billion privacy lawsuit. The settlement does not involve any payment from Google. Individuals will have the opportunity to seek compensation by submitting their own complaints in US state courts.

Contrary to what the name implies, Google Chrome Incognito Mode does not keep your browsing fully private, but it limits the data your browser collects about you.

To settle the case, Google has agreed to erase its collection of stored data containing details of personal browsing sessions. Google has also agreed to do a better job of disclosing which data will be collected when someone opens up a Chrome Incognito Mode tab.

In addition, users will have the option to block third-party cookies. This is an additional privacy-boosting measure that should help all users limit the data collected by the IT giant.

Read more about it here.

The OWASP (Open Web Application Security Project) Foundation disclosed on March 29, 2024 that it suffered a data breach, caused by a misconfiguration on its old Wiki server.

No joke, we did have a data breach in late March involving the resumes of our earliest members. Rest assured, all current membership data remains secure. We recognize the unfortunate irony here, and are determined to make it our last breach.

Details here: https://t.co/WUhvf3RGdX pic.twitter.com/jPzTZstIEL

— OWASP® Foundation (@owasp) April 1, 2024

“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process.” said the disclosure.

Exposed resumes contained names, email addresses, phone numbers, physical addresses, and “other personally identifiable information”.

In response to the data breach, the experts at the Foundation have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access. They also requested that the information be removed from the Web Archive.

OWASP is a nonprofit organization focused on improving the security of IoT, system software and web applications. It provides free resources, tools, and documentation to help organizations develop, deploy, and maintain secure software applications. It has tens of thousands of members.

Read more about it here.