CybserSecurity News

Tag: Compliance

  • ClamAV 1.5.0 Released: Major Update Adds FIPS Mode Support and Switches Cache Hashing to SHA-256

    The ClamAV 1.5.0 antivirus engine has been released, introducing one of the most significant updates in recent years — FIPS mode support for verifying the authenticity of signature databases. The Freshclam and CVDUpdate tools can now utilize “.cvd.sign” signature files for database archives and CDIFF updates. In the absence of these files, the system will revert to the legacy RSA verification method based on MD5. This enhancement enables the official deployment of ClamAV within FIPS-certified infrastructures, where the use of outdated and insecure hashing algorithms is strictly prohibited.

    Developers have added dedicated parameters for specifying the CVD certificate directory, now supporting environment variables, command-line arguments, and configuration file options. New API functions have been introduced for verifying and unpacking databases, replacing the deprecated cl_cvdverify and cl_cvdunpack methods. Furthermore, the engine can now automatically detect whether FIPS mode is enabled in the system and enforce restrictions on the use of MD5 and SHA1 during digital signature verification.

    The update also improves the safe file caching system, which now employs SHA-256 instead of MD5. This shift eliminates the risk of hash collisions and ensures compatibility with environments that impose strict cryptographic compliance requirements.

    The ClamD service now allows administrators to disable specific commands — from shutdown requests to statistics output — enhancing security when the daemon is deployed in multi-tiered environments. Additionally, regular expression support has been added to the OnAccessExcludePath parameter, enabling more flexible configuration of directory exclusions.

    Key improvements include external database signature support, enhanced hashing functions with FIPS bypass flags, extended JSON metadata formats, and the option to log URIs extracted from HTML and PDF documents — with the ability to disable this feature when desired. The ClamScan command can now display both the file type and hash for each scanned object, with scan results presented using precise units of measurement — from bytes to gigabytes.

    The libclamav library introduces new scanning functions with extended parameters, allowing the transmission of file hashes, types, and contextual metadata. The mechanism for handling temporary directories during recursive scanning has been refined, and new callback functions have been added, enabling developers to intercept specific analysis stages — from initial hashing and classification to final infection alerts. Each attachment now receives a unique object identifier and can be processed independently, including embedded files that were previously excluded from standalone scans.

    JSON metadata has become far more sophisticated: instead of a flat list of detected threats, it now includes categorized indicators — strong, potentially unwanted, and weak. This structure lays the groundwork for the development of multi-trigger composite signatures in future versions. Support has also been added for storing multiple hash values (MD5, SHA1) alongside the primary SHA-256, as well as a new file type, CL_TYPE_AI_MODEL, for identifying artificial intelligence model files.

    Other changes include a recursion depth limit of 100 levels, improved platform support for AIX, Solaris, and GNU/Hurd, greater resilience when handling corrupted ZIP archives, and added comments within configuration files. The obsolete MyDoom heuristic has been removed, numerous Windows build issues have been fixed, and several potential security flaws — including stack overflows and race conditions in Freshclam — have been addressed.

    The developers expressed special gratitude to community contributors, including engineers from SAP, the TITAN Team, and independent researchers who assisted in strengthening ClamAV’s cryptographic components and eliminating vulnerabilities. ClamAV 1.5.0 is now available for download from the project’s official website and its GitHub release page.

  • Silent Access: Critical Flaw in Microsoft Copilot Bypasses All Audit Logs

    While Microsoft has been vigorously promoting its Copilot AI product line, promising users greater convenience and productivity, a troubling flaw has been uncovered in the M365 ecosystem—one that undermines the very foundations of security and legal transparency. The issue lies in the fact that Copilot could access user files without leaving any trace in audit logs—and Microsoft chose not to inform its customers of this vulnerability.

    The flaw was discovered by chance. On July 4, a security researcher from Pistachio observed that when Copilot was used to generate a summary from a file, the request was correctly recorded in the audit log. However, if the query was phrased differently—such that Copilot returned no link to the file—the record of access vanished entirely from the log. This loophole effectively allowed a malicious actor to read the contents of a document without leaving behind a single digital footprint.

    It later emerged that the Chief Technology Officer of Zenity had identified the same issue a year earlier. Nevertheless, Microsoft only addressed the bug in August 2025, following a second independent report. Even then, despite acknowledging the problem, the company declined to issue a public advisory or assign a CVE—the standard identifier for vulnerabilities. Instead, Microsoft’s Security Response Center (MSRC) explained that the fix had been deployed automatically and required no action from customers.

    This stance perplexed many experts. First, Microsoft blatantly violated its own incident-handling guidelines: although a formal process exists, the company failed to provide status updates on the report and behaved as though those procedural stages were merely for appearances, bearing no relation to reality.

    Second, by categorizing the flaw as “important” rather than “critical,” Microsoft found a convenient pretext to avoid disclosure. Yet this ignores a crucial fact: missing audit records could occur inadvertently, without malicious intent, simply due to Copilot’s peculiar behavior.

    The implications are sweeping, affecting any organization that relied on M365 Copilot prior to August 18, 2025. For companies that depend on audit logs to meet regulatory obligations such as HIPAA, or for internal incident investigations, the absence of complete records could lead to flawed or even disastrous decisions. The risk is especially acute for enterprise clients, where evidence of access to sensitive files can prove decisive in compliance checks, court proceedings, or audits.

    In light of ongoing criticism of Microsoft for monetizing audit capabilities and restricting access to logs behind paywalls, the refusal to disclose such a critical weakness has drawn sharp rebuke. Auditing is not merely an optional service; it is the bedrock of trust between an IT platform and its clients. When a major provider conceals the fact that its logging system may have been malfunctioning for an extended period, it undermines its own assurances of security and transparency.

    As Microsoft continues to expand the reach of AI within its products, one pressing question remains: how many more of these “silent failures” are lurking behind Copilot’s polished interfaces?

  • Cloud Snitch: New Open-Source Tool Reveals Hidden Activity & Bolsters Least Privilege in Your AWS Accounts

    Whether you’re a developer, security engineer, or just a curious person, Cloud Snitch is guaranteed to teach you something and take your relationship with your cloud to the next level.

    Cloud Snitch provides a sleek and intuitive way of exploring your AWS account activity. It’s a great addition to any toolbox, regardless of if you’re a hobbyist that’s just getting started with the cloud or a large enterprise with complex and mature cloud infrastructure.

    AWS Security, Cloud Monitoring

    Features

    • With Cloud Snitch, there’s no excuse for not knowing everything your AWS accounts are up to.
    • Share links to IP address, CIDR network, and AWS principal activity within your team.
    • Document AWS principals with Markdown notes for your teammates.
    • Cloud Snitch provides summaries of activity by AWS region, principal, IP address, and CIDR network.
    • Errors are highlighted, so you can quickly spot suspicious behavior or bugs in your code.
    • Take the investigation further with quick links into to your CloudTrail event history.
    • Generate or manually configure service control policies for your accounts to help you enforce least privilege access and meet compliance requirements.
    • Preview service control policies and apply them with the click of a button.

    Open Source or SaaS

    Cloud Snitch is open sourced under the MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT) so if you’re feeling adventurous, you can deploy it directly to your own cloud. Alternatively, you can get up and running in under 5 minutes with an individual or team plan at cloudsnitch.io.

    Install & Use

  • Twilio Security Scanner: Audit and Harden Your Twilio Configs in Seconds

    Twilio Security Scanner

    A security scanning tool for Twilio accounts that helps detect misconfigurations and security risks, including:

    • Public serverless functions and assets
    • Unencrypted HTTP webhooks in phone numbers and messaging services
    • API keys older than 90 days

    This tool is useful for DevOps, Security Engineers, and compliance teams looking to audit their Twilio configurations for security best practices.

    Output

    The scanner checks for several security concerns:

    Serverless Functions and Assets

    • Lists all public functions and assets
    • Outputs URLs and paths for each public endpoint
    • Saves findings to CSV if specified with -o flag

    Webhook Security

    • Identifies phone numbers using unencrypted HTTP webhooks
    • Checks messaging services for unencrypted HTTP URLs
    • Reports both primary and fallback URLs using HTTP

    API Key Age

    • Identifies API keys older than 90 days
    • Reports key names for rotation

    Trusted Apps

    • Lists all trusted connect applications
    • Shows count of connected applications

    CSV Output

    When using the -o flag, the scanner will save public serverless findings to a CSV file with:

    • Type (Function/Asset)
    • URL
    • Path
    • SID
    • Service Name – The friendly name of the Twilio service containing this function/asset
    • Service SID – The unique identifier of the service

    Remediation Steps

    Public Functions and Assets

    If the scanner finds public functions or assets, you can:

    1. Locate the function/asset in the Twilio Console using the provided service name
    2. Navigate to: Console → Functions and Assets → Services → [Service Name]
    3. Review the function/asset visibility settings
    4. Change visibility from “Public” to “Protected” if the endpoint should not be publicly accessible
    5. Consider implementing authentication for endpoints that need controlled access

    Note: Making a function/asset protected will require valid Twilio credentials to access it.

    Note about Deployment State: Functions and assets can exist in two states:

    • Saved but not deployed: Even if marked as “public”, they are not accessible until deployed
    • Deployed: Will be publicly accessible if marked as “public”

    Unencrypted HTTP Webhooks

    For webhooks using HTTP instead of HTTPS:

    1. Update all webhook URLs to use HTTPS
    2. Ensure your webhook endpoints support HTTPS
    3. Update both primary and fallback URLs

    Old API Keys

    For API keys older than 90 days:

    1. Create new replacement API keys
    2. Update applications to use the new keys
    3. Revoke the old keys after confirming all systems are working

    Install & Use