Aggregator

New Cyber Law Enables Agencies to Neutralize Attackers' Servers Located Abroad
The Japanese Parliament passed the long-delayed active cyber defense bill on Friday, paving the way for government agencies to monitor external telecommunications and preemptively respond to signs of cyberattacks, including neutralizing attackers' servers.

Ministry of Justice Discloses April 23 Breach
Hackers stole from the U.K. Ministry of Justice personal information pertaining to criminal defendants in need of an attorney, the British government disclosed Monday. The ministry on Monday said it detected on April 23 a breach that targeted the Legal Aid Agency.

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'soiax' was reported to the affected vendor on: 2025-05-20, 79 days ago. The vendor is given until 2025-09-17 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A vulnerability classified as critical was found in ipmitool up to 1.8.18. This vulnerability affects unknown code. The manipulation leads to buffer overflow. This vulnerability was named CVE-2020-5208. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in PostgreSQL up to 9.6.16/10.11/11.6/12.1. This issue affects some unknown processing of the component ALTER Handler. The manipulation leads to improper authorization. The identification of this vulnerability is CVE-2020-1720. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in PostgreSQL up to 9.5.22/9.6.18/10.13/11.8/12.3 and classified as critical. This issue affects some unknown processing of the component Installation Script. The manipulation leads to untrusted search path. The identification of this vulnerability is CVE-2020-14350. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in PostgreSQL up to 10.13/11.8/12.3 and classified as critical. This vulnerability affects unknown code of the component Replication Handler. The manipulation leads to uncontrolled search path. This vulnerability was named CVE-2020-14349. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Google Go up to 1.16.5 and classified as critical. Affected by this vulnerability is an unknown functionality of the component X.509 Certificate Handler. The manipulation leads to improper certificate validation. This vulnerability is known as CVE-2021-34558. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability was found in VMware Tools 10.x.y/11.x.y/12.0.0. It has been classified as critical. This affects an unknown part. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2022-31676. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in IcedTea-Web up to 1.7.2/1.8.2. Affected is an unknown function of the component JNLP File Handler. The manipulation as part of Crafted Application leads to path traversal. This vulnerability is traded as CVE-2019-10182. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability has been found in IcedTea-Web up to 1.7.2/1.8.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the component JAR File Handler. The manipulation leads to path traversal. This vulnerability is known as CVE-2019-10185. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in Google Go up to 1.11.12/1.12.7 and classified as critical. This issue affects the function Hostname/Port of the component net/url. The manipulation of the argument Host as part of URL leads to improper input validation. The identification of this vulnerability is CVE-2019-14809. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Google Go 0.3.3. Affected by this issue is some unknown functionality of the component x-text Package. The manipulation leads to infinite loop. This vulnerability is handled as CVE-2020-14040. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in IcedTea-Web up to 1.7.2/1.8.2. This issue affects some unknown processing of the component Signature Verification Handler. The manipulation as part of JAR File leads to insufficient verification of data authenticity. The identification of this vulnerability is CVE-2019-10181. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in iperf3 up to 3.13. It has been classified as problematic. Affected is an unknown function. The manipulation of the argument length leads to integer overflow. This vulnerability is traded as CVE-2023-38403. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in device-mapper-multipath and classified as critical. This vulnerability affects unknown code of the component Unix Domain Socket Handler. The manipulation leads to improper authorization. This vulnerability was named CVE-2022-3787. It is possible to launch the attack on the local host. There is no exploit available.

A vulnerability classified as problematic has been found in Squid Web Proxy up to 5.6. This affects an unknown part of the component SSPI/SMB. The manipulation leads to integer overflow. This vulnerability is uniquely identified as CVE-2022-41318. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in polkit. It has been rated as critical. Affected by this issue is some unknown functionality of the component D-Bus Request Handler. The manipulation leads to incorrect authorization. This vulnerability is handled as CVE-2021-3560. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

白宫 Signal 门事件尚未结束。前国家安全顾问 Mike Waltz 今年三月邀请了《大西洋月刊》主编加入了一个Signal 群组讨论对也门的战争，他在 5 月 1 日的内阁会议上被摄像机拍到使用以色列公司 TeleMessage 开发的修改版 Signal。TeleMessage 开发了 Signal、WhatsApp、Telegram 和微信的修改版以集中存档信息。5 月 4 日黑客攻击了 TeleMessage。现在黑客通过 Distributed Denial of Secrets（DDoSecrets）公布了窃取自 TeleMessage 的 410 GB 数据。由于数据包含有大量敏感的用户个人信息，该数据集目前仅对记者和研究人员开放访问。TeleMessage 服务器被发现存在漏洞，任何人都可以通过 archive.telemessage.com/management/heapdump 这个网址下载存档服务器的 Java 堆转储，其中包含有明文聊天记录。

Your Data, Your Responsibility: Securing Your Organization's Future in the Cloud
madhav
Tue, 05/20/2025 - 04:37

Cloud adoption has fundamentally changed the way businesses operate, offering scalability, agility, and cost efficiencies that were unimaginable just a decade ago. But with this shift comes a necessary conversation: the cloud can also introduce complex security risks without the right care and practices in place.

Think sensitive and regulated data, intellectual property (IP), or code for your next winning product. When it comes to the future of your organization, business leaders must ask themselves:

• How are we making sure our critical data and IP are completely protected in the cloud?
• Who has access to the keys and protocols which are designed to protect our sensitive information?
• Are we consistently managing and securing keys across different cloud environments?
• Are we simply taking a “good enough” approach to cloud security without considering real risks?

If these are not questions that are already being discussed with teams, they need to be.

The Complexity of Multi-Cloud Security

The Thales 2025 Data Threat Report highlights that entities must rethink their approach to data security due to structural and geopolitical changes. In the AI era, the data businesses collect, store, process and share takes center stage. Although data breach rates fell to 45% in 2025 from 56% in 2021, cloud and application security continue to be the greatest security concerns for security leaders.

Cyberattacks are also becoming more sophisticated and tenacious. According to the Thales 2024 Cloud Security Study, 44% of organizations reported experiencing a cloud data breach, with 14% encountering such incidents within the past year. Among these breaches, 31% were attributed to misconfiguration or human error. Organizations that are not taking proactive steps will realize it’s only a matter of time before they become part of that statistic.

Who is Really Responsible for Cloud Security?

Too many business leaders assume that cloud security is their Cloud Service Provider’s (CSP’s) total responsibility, which is a dangerous misconception. In reality, the CSP and the customer share responsibility – or as Google put it, they share fate.

This is called the Shared Responsibility Model, and it defines clear boundaries:

• Cloud providers are responsible for securing the infrastructure—the physical data centers, networks, and hardware.
• The customer is responsible for securing their data, applications, and user access.

This means that although cloud-native security protocols, like encryption, help to protect the provider’s infrastructure, it does not necessarily protect the customer. If their data is compromised, it is they—not the cloud provider—who will fall foul of regulators and face the financial, legal, and reputational consequences.

Businesses need to ask themselves who in their organization is ensuring that the security strategy aligns with these realities.

The Security Challenges of Hybrid IT

Today’s IT environments are a mix of on-premises, hybrid, and multi-cloud services, creating previously unimagined levels of complexity. Security teams, finding themselves on the back foot, are being forced to bolt on security point products as an afterthought or look towards cloud-native security controls— that could mean relinquishing direct control over their access security.

Leveraging multiple clouds results in a fragmented approach that leads to siloed security solutions that are difficult to manage, gaping holes in protection across different platforms, and soaring costs and inefficiencies due to a lack of integration.

The truth is that as cloud environments only continue to grow, IT teams will continue to battle to manage multiple disconnected security tools. This is not a scalable approach—so entities need to consider what they are doing to consolidate and strengthen security across all cloud environments.

Cloud Security Risks: Are You Leaving the Door Open?

Many firms trust cloud-native controls, like encryption, to protect their data but do not consider where the encryption keys are stored. If they are managed within the same cloud ecosystem, this could put the business at risk. This is why:

• Single Point of Failure – If bad actors breach cloud tenant, they could get their hands on the business’s data, and the encryption keys to keep it safe.
• Regulatory Gaps – Compliance frameworks like GDPR, DORA, and PCI-DSS now require stricter key control. Data sovereignty requirements also mandate control over key management. Businesses must establish whether depending on a CSP meets these evolving regulations.
• Separation of Duties – After all, encryption can only be as secure as its key management process, so companies must understand who actually controls their encryption keys.

The 2025 Thales report indicates that there has been some good progress in protecting sensitive data:

• 68% of organizations report that they encrypt 40% or more of their sensitive cloud data.
• 57% of organizations use MFA to protect access to cloud assets, with 40% of them using phishing resistant methods like biometrics and passkeys.

However, there’s still room for improvement. The question businesses need to ask themselves is, what is their appetite for being at risk?

Are You Protecting the Lifeblood of Your Business?

A company’s intellectual property, business models, and proprietary data set it apart from the competition. But in a cloud-driven world, many organizations fail to consider how well they are truly protecting their value.

Firms should ask themselves:

• Are we in control of our competitive edge in the cloud?
• Could third parties gain access to our sensitive business data?
• What happens if our trade secrets are leaked or misused?

Breaches do not just impact data—they impact business reputation, revenue, and future success. In competitive markets, a single data breach can result in crippling fines, negative publicity, and lost customers. According to a global study by IBM the average cost of a data breach has risen to $4.88 million—a very sobering statistic.

Organizations invest fortunes in R&D and innovation and should think about whether it is worth risking losing it all due to poor cloud security.

The Potential Security Gaps in Cloud Provider Protections

Various cloud models require different security approaches—for instance, IaaS environments require security controls that won’t always translate well to SaaS deployments. One CSP’s security capabilities won’t necessarily apply to a different cloud vendor’s environment, and unfortunately, hybrid and multi-cloud environments create many more security gaps than companies realize.

When security is implemented in a siloed, reactive fashion, the result is inefficiencies and inconsistencies, high management overheads, uncontrollable costs, security blind spots, and loss of control. Organizations need to ensure that cloud security isn’t being implemented in a disjointed, piecemeal way.

Cloud Security Must Be Proactive, Not Reactive

According to the Thales 2025 Data Threat Report, 64% of organizations cite cloud security as their most pressing concern, since both SaaS data and cloud storage remain top attack targets. Losing sensitive data is the number one security concern for entities moving to the cloud. Data Loss Prevention (DLP) and encryption are top security controls, but how encryption keys are managed is of utmost importance.

Businesses need to establish who controls their encryption keys, where they are stored, and, importantly, can they retrieve them if needed—or are they locked in by a cloud provider?

The Thales DTR report echoes that sentiment; secrets management emerged as the top security challenge for DevSecOps engineers. According to Gartner, by 2027, more than 60% of organizations will adopt a centralized multicloud Key Management as a Service (KMaaS) to integrate with native CSP key management due to increased impacts of international data residency and privacy requirements.

Are You Asking the Right Questions?

Cloud security is not just an IT problem—it’s a business risk that impacts the entire organization. Businesses need to ask their teams:

• What are we doing to protect our most valuable data and IP in the cloud?
• How can I improve my security across all clouds while complementing cloud-native security?
• What is the best approach to deploying encryption and key management?
• Who actually controls our encryption keys?
• How are we ensuring compliance with evolving regulations?

The businesses that proactively address these questions will not only protect their data but also secure their competitive advantage for years to come. The question, is are you one of them?

Next steps

• Learn how to leverage the cloud without giving up control
• Discover best practices for cloud data protection and key management
• Explore Thales cloud security solutions
• Speak to a Thales cloud security expert

Brian Robertson | Principal Product Marketing Manager
More About This Author > basic

The post Your Data, Your Responsibility: Securing Your Organization’s Future in the Cloud appeared first on Security Boulevard.