The National Institute of Standards and Technology (NIST) is clearing the backlog of unprocessed CVE-numbered vulnerabilities in the National Vulnerability Database (NVD), but has admitted that their initial estimate of when they would finish the job was “optimistic”. About the…
Category: Help Net Security
Google launches on-device AI to alert Android users of scam calls in real-time
Google has announced new security features for Android that provide real-time protection against scams and harmful apps. These features, powered by advanced on-device AI, enhance user safety without compromising privacy. These new security features are available first on Pixel and…
VersaONE unifies security and networking into a single, centrally managed platform
Versa introduced the VersaONE Universal SASE Platform to enhance security and networking capabilities across WAN, LAN, data centers, and cloud. Powered by AI, VersaONE delivers converged SASE, SSE, SD-WAN, and SD-LAN products via a unified platform to securely connect all…
FBI confirms China-linked cyber espionage involving breached telecom providers
After months of news reports that Chinese threat actors have breached the networks of US telecommunications and internet service providers, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed the success of the attacks, which were part…
Red Hat Enterprise Linux 9.5 helps organizations simplify operations
Red Hat announced Red Hat Enterprise Linux 9.5. Red Hat Enterprise Linux helps organizations deploy applications and workloads more quickly and with greater reliability, enabling them to lower costs and more effectively manage workloads across hybrid cloud deployments while mitigating…
How a Windows zero-day was exploited in the wild for months (CVE-2024-43451)
CVE-2024-43451, a Windows zero-day vulnerability for which Microsoft released a fix on November 2024 Patch Tuesday, has been exploited since at least April 2024, ClearSky researchers have revealed. About the vulnerability CVE-2024-43451 affects all supported Windows versions and, when triggered,…
Zero-days dominate top frequently exploited vulnerabilities
A joint report by leading cybersecurity agencies from the U.S., UK, Canada, Australia, and New Zealand has identified the most commonly exploited vulnerabilities of 2023. Zero-day vulnerabilities on the rise The advisory highlights that malicious cyber actors increasingly targeted zero-day…
How Intel is making open source accessible to all developers
In this Help Net Security interview, Arun Gupta, Vice President and General Manager for Open Ecosystem, Intel, discusses the company’s commitment to fostering an open ecosystem as a cornerstone of its software strategy. He explains how this approach empowers developers…
Google Cloud Cybersecurity Forecast 2025: AI, geopolitics, and cybercrime take centre stage
Google Cloud unveiled its Cybersecurity Forecast for 2025, offering a detailed analysis of the emerging threat landscape and key security trends that organizations worldwide should prepare for. The report delivers insights into the tactics of cyber adversaries, providing advice for…
How cybersecurity failures are draining business budgets
Security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps, according to Panaseer. The report analyses the findings…
What 2025 holds for user identity protection
In this Help Net Security video, David Cottingham, President of rf IDEAS, discusses what he sees as the most prominent areas for improvement and continued change in the space: As we move into 2025, it’s evident that businesses recognize MFA…
Vectra AI adds AI-powered detections to help secure Microsoft customers
Vectra AI announced the extension of the Vectra AI Platform to include comprehensive coverage for customers’ Microsoft Azure environments. With the addition of over 40 unique attacker behavior detections for Microsoft Azure, Vectra AI now delivers over 100 AI-driven attacker…
Absolute Security releases Enterprise Edition
Absolute Security launched Enterprise Edition, combining the new Safe Connect for Secure Access and Comply Module for Secure Endpoint. With these innovations, Enterprise Edition is the comprehensive Security Service Edge (SSE) that can ensure only secure and compliant devices are…
Cequence Security enables organizations to elevate their API defenses
Cequence Security announced its new API Security Assessment Services. Designed to provide immediate, actionable insights into API security risks, these time-bound and fixed services leverage Cequence’s advanced Unified API Protection platform, enabling companies to identify and address security gaps within…
Infostealers increasingly impact global security
Check Point Software’s latest threat index reveals a significant rise in infostealers like Lumma Stealer, while mobile malware like Necro continues to pose a significant threat, highlighting the evolving tactics used by cybercriminals across the globe. Last month researchers discovered…
GoIssue phishing tool targets GitHub developer credentials
Researchers discovered GoIssue, a new phishing tool targeting GitHub users, designed to extract email addresses from public profiles and launch mass email attacks. Marketed on a cybercrime forum, GoIssue allows attackers to send bulk emails while keeping their identity hidden…
Nirmata Control Hub automates security with policy-as-code
Nirmata launched Nirmata Control Hub, a comprehensive platform designed to prevent misconfigurations and automate security through policy-as-code. As Artificial Intelligence (AI) accelerates the adoption of Kubernetes and cloud-native technologies, enterprises are increasingly facing security challenges due to the growing complexity…
Rakuten Viber unveils new security solutions for businesses
Rakuten Viber has launched new solutions to further protect communication on the platform. Businesses can now quickly authenticate users to enhance trust and reduce fraud, making interactions more secure. Verification messages provide a secure and seamless way to authenticate clients…
Cisco introduces Wi-Fi 7 access points to enhance employee and customer experiences
Cisco introduces new intelligent, secure and assured wireless innovations, with smart Wi-Fi 7 access points and unified subscription licensing that can enable smart spaces out-of-the-box. These innovations empower customers to solve for their connectivity, security and assurance challenges, while also…
Aerospace employees targeted with malicious “dream job” offers
It’s not just North Korean hackers who reach out to targets via LinkedIn: since at least September 2023, Iranian threat actor TA455 has been trying to compromise workers in the aerospace industry by impersonating job recruiters on the popular employment-focused…
Splunk expands observability portfolio to provide organizations with deeper business context
Splunk announced innovations across its expanded observability portfolio to empower organizations to build a leading observability practice. These product advancements provide ITOps and engineering teams with more options to unify visibility across their entire IT environment to drive faster detection…
Bectran adds RSA encryption to protect the transmission of sensitive data
Keeping information secure is both a leading challenge and priority among B2B credit, collections and accounts receivables departments. It requires vigilance against scams like identity theft and hacks that intercept vital business and customer information in transit. Bectran has implemented…
Syteca Account Discovery strengthens privileged access management
Syteca launched Account Discovery, a new feature within its Privileged Access Management (PAM) solution. This enhancement enables organizations to automatically detect and manage privileged accounts across their IT infrastructure, significantly reducing security risks associated with unmanaged access credentials. The new…
CISOs in 2025: Balancing security, compliance, and accountability
In this Help Net Security interview, Daniel Schwalbe, CISO at DomainTools, discusses the intensifying regulatory demands that have reshaped CISO accountability and daily decision-making. He outlines the skill sets future CISOs need, their key priorities for 2025, and how increased…
Social engineering scams sweep through financial institutions
North American financial institutions fielded 10 times more reports of social engineering scams in 2024 than they did a year ago, according to BioCatch. The data shows scams now represent 23% of all digital banking fraud. Growing danger of deepfake…
Tips for a successful cybersecurity job interview
Whether you’re looking to enhance your existing cybersecurity skills or just beginning your journey in the field, cybersecurity offers a wide range of career opportunities. If you’re considering a career shift, exploring new job opportunities, or aiming to upgrade your…
Cyber professionals face an IP loss reckoning in 2025
AI can expose your work secrets. The same goes for AI-generated content, which has revolutionized workplace productivity but comes with hidden risks. As more employees use AI models to streamline tasks—whether drafting reports, building code, or designing products, they may…
Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. The exploited vulnerabilities (CVE-2024-43451, CVE-2024-49039) CVE-2024-43451 is…
Druva empowers businesses to secure data throughout Microsoft environments
Druva announced support for Microsoft Dynamics 365 to help enterprises secure mission-critical data across Dynamics 365 Sales and Customer Service CRM modules. With support for Dynamics 365, Druva ensures customers can keep business-critical CRM data secure and maintain business operations…
Akamai App Platform reduces the complexity associated with managing Kubernetes clusters
Akamai announced the Akamai App Platform, a ready-to-run solution that makes it easy to deploy, manage, and scale highly distributed applications. The Akamai App Platform is built on top of the cloud native Kubernetes technology Otomi, which Akamai acquired from…
BlackFog platform enhancements boost data loss prevention
BlackFog launched its next generation enterprise platform to deliver even more powerful ransomware and insider threat prevention. BlackFog’s pioneering platform focuses specifically on anti data exfiltration to prevent unauthorized data from leaving a device, ensuring that an organization’s most sensitive…
Hot Topic breach: Has your credit card info been compromised?
If you’re wondering whether your personal and financial data has been compromised in the massive Hot Topic breach, you can use two separate online tools to check: Have I Been Pwned? or DataBreach.com. Which data was compromised? News of a…
F5 AI Gateway secures and optimizes access to AI applications
F5 announced early access of F5 AI Gateway to streamline interactions between applications, APIs, and large language models (LLMs) driving enterprise AI adoption. This powerful containerized solution optimizes performance, observability, and protection capabilities—all leading to reduced costs. Integrated with F5’s…
Zscaler Zero Trust Segmentation prevents lateral movement from ransomware attacks
Zscaler announced a Zero Trust Segmentation solution to provide a more secure, agile and cost-effective means to connect users, devices, and workloads across and within globally distributed branches, factories, campuses, data centers, and public clouds. While traditional networks, including SD-WAN…
Eurotech ReliaGATE 15A-14 enables organizations to meet regulatory standards
Eurotech launches ReliaGATE 15A-14, a cybersecure modular edge gateway designed to meet the growing demand for secure, flexible, and globally deployable IoT solutions. Built to support a wide range of applications, the ReliaGATE 15A-14 accelerates IoT projects by simplifying compliance…
Immersive Labs AI Scenario Generator improves cyber skills against various attack types
Immersive Labs introduced AI Scenario Generator. This new capability enables organizations to generate threat scenarios for crisis simulations to ensure their workforces are ready for the latest threats. By inputting a few short prompts, customers can use the AI Scenario…
Massive troves of Amazon, HSBC employee data leaked
A threat actor who goes by the online moniker “Nam3L3ss” has leaked employee data belonging to a number of corporations – including Amazon, 3M, HSBC and HP – ostensibly compromised during the May 2023 MOVEit hack by the Cl0p ransomware…
Powerpipe: Open-source dashboards for DevOps
Powerpipe is an open-source solution designed to streamline DevOps management with powerful visualization and compliance tools, making it simple to track, assess, and act on key data for smarter decision-making and continuous compliance monitoring. Dynamic dashboards and reports Powerpipe’s high-level…
Evaluating your organization’s application risk management journey
In this Help Net Security interview, Chris Wysopal, Chief Security Evangelist at Veracode, discusses strategies for CISOs to quantify application risk in financial terms. Wysopal outlines the need for continuous risk management practices and robust strategies to manage third-party software…
The changing face of identity security
It’s easy to see why identity security is often synonymous with user security. Social engineering tactics are the mainstay of the threat actor’s arsenal, and it’s rare to find an attack that doesn’t feature them to some degree. Getting hold…
Cybersecurity jobs available right now: November 12, 2024
Cloud Security Lead CIÉ – Córas Iompair Éireann | Ireland | Hybrid – View job details As a Cloud Security Lead, you will ensure the security of CIE’s Azure environment by developing and implementing cloud security strategies and policies. You…
The Ultimate Guide to the CGRC
Even the brightest minds benefit from guidance on the journey to success. The Ultimate Guide covers everything you need to know about Certified in Governance, Risk and Compliance (CGRC) certification. See how CGRC – and ISC2 – can help you…
Ambitious cybersecurity regulations leave companies in compliance chaos
While the goal of cybersecurity regulations is to bring order among organizations and ensure they take security and risks seriously, the growing number of regulations has also introduced a considerable set of challenges that organizations and their leaders must address.…
November 2024 Patch Tuesday forecast: New servers arrive early
Microsoft followed their October precedent set with Windows 11 24H2 and announced Microsoft Server 2025 on the first of November. We were expecting the official announcement at Microsoft Ignite near the end of the month, but with the early release,…
Strategies for CISOs navigating hybrid and multi-cloud security
In this Help Net Security interview, Alex Freedland, CEO at Mirantis, discusses the cloud security challenges that CISOs need to tackle as multi-cloud and hybrid environments become the norm. He points out the expanded attack surfaces, the importance of consistent…
4 reasons why veterans thrive as cybersecurity professionals
Through their past military service, veterans are trained to think like adversaries, often share that mission-driven spirit and excel when working with a team to achieve a larger goal. They develop and champion the unique traits that cybersecurity companies need…
How human ingenuity continues to outpace automated security tools
10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations, according to HackerOne. HackerOne’s report combines perspectives from the researcher community, customers, and security…
Setting a security standard: From vulnerability to exposure management
Vulnerability management has been the standard approach to fending off cyber threats for years. Still, it falls short by focusing on a limited number of vulnerabilities, often resolving only 1% to 20% of issues. In 2024, with the average data…
Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443) Synology has released fixes for an unauthenticated “zero-click” remote code execution flaw (CVE-2024-10443, aka RISK:STATION)…
Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910)
A vulnerability (CVE-2024-5910) in Palo Alto Networks Expedition, a firewall configuration migration tool, is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday. About CVE-2024-5910 Unearthed and reported by Brian Hysell of…
Mirantis provides support offerings for Harbor Registry and KubeVirt
Mirantis launched Mirantis Harbor Registry Support and Mirantis KubeVirt Support offerings, providing support for managing container image registries and virtual machine workloads within any Kubernetes environment, irrespective of the underlying infrastructure or Kubernetes distribution. “For organizations seeking pure open-source deployments,…
AppOmni partners with Cisco to extend zero trust to SaaS
AppOmni announced a significant partnership that combines the company’s Zero Trust Posture Management (ZTPM) solution with Cisco’s Security Service Edge (SSE) technology suite to enable zero trust principles at the application layer in Security-as-a-Service (SaaS) applications. The combined solution provides…
Apple’s 45-day certificate proposal: A call to action
In a bold move, Apple has published a draft ballot for commentary to GitHub to shorten Transport Layer Security (TLS) certificates down from 398 days to just 45 days by 2027. The Apple proposal will likely go up for a…
Am I Isolated: Open-source container security benchmark
Am I Isolated is an open-source container security benchmark that probes users’ runtime environments and tests for container isolation. The Rust-based container runtime scanner runs as a container, detecting gaps in users’ container runtime isolation. It also provides guidance to…
A closer look at the 2023-2030 Australian Cyber Security Strategy
In this Help Net Security video, David Cottingham, CEO of Airlock Digital, discusses the 2023-2030 Australian Cyber Security Strategy and reviews joint and individual cybersecurity efforts, progress, and strategies over the past year. The Australian Government’s 2023-2030 Cyber Security Strategy,…
Why AI-enhanced threats and legal uncertainty are top of mind for risk executives
AI-enhanced malicious attacks are the top emerging risk for enterprises in the third quarter of 2024, according to Gartner. Key emerging risks for enterprises It’s the third consecutive quarter with these attacks being the top of emerging risk. IT vendor…
New infosec products of the week: November 8, 2024
Here’s a look at the most interesting products from the past week, featuring releases from Atakama, Authlete, Symbiotic Security, and Zywave. Atakama introduces DNS filtering designed for MSPs Atakama announced the latest expansion of its Managed Browser Security Platform, introducing…
Fortinet expands GenAI capabilities across its portfolio with two new additions
Fortinet announced the expansion of GenAI capabilities across its product portfolio with the launch of two new integrations with FortiAI, Fortinet’s AI-powered security assistant that uses GenAI to guide, simplify, and automate security analyst activities. “Our commitment to AI innovation…
Malwarebytes acquires AzireVPN to boost security for customers
Malwarebytes announced the acquisition of AzireVPN, a renowned privacy-focused VPN provider. Malwarebytes has long been a defender of user privacy through its portfolio of consumer solutions, including Malwarebytes Privacy VPN and its free ad and scam blocker web extension Malwarebytes…
Drawbridge simplifies cyber governance for alternative investment firms
Drawbridge is debuting a real-time executive summary of a manager’s cyber risk program. The aim is to enable alternative investment managers (alts managers) to strengthen executive confidence in their firm’s cyber posture by working with their Drawbridge cybersecurity experts. General…
AudioEye Accessibility Protection Status identifies high-impact areas for improvement
AudioEye launched Accessibility Protection Status, a new benchmark in digital accessibility compliance that empowers businesses to achieve better transparency, clarity, and control over their digital accessibility efforts. With a more accurate representation of accessibility efforts beyond arbitrary numerical scores, the…
Industrial companies in Europe targeted with GuLoader
A recent spear-phishing campaign targeting industrial and engineering companies in Europe was aimed at saddling victims with the popular GuLoader downloader and, ultimately, a remote access trojan that would permit attackers to steal information from and access compromised computers whenever…
North Korean hackers employ new tactics to compromise crypto-related businesses
North Korean hackers are targeting crypto-related businesses with phishing emails and novel macOS-specific malware. The crypto-related phishing campaign Since July 2024, phishing emails seemingly containing helpful information on risks related to the rise of the price of Bitcoin have been…
Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418)
Cisco has fixed a critical command injection vulnerability (CVE-2024-20418) affecting its Ultra-Reliable Wireless Backhaul (URWB) Access Points that can be exploited via a HTTP requests and allows complete compromise of the devices. There are no workarounds to address this flaw,…
Zywave enhances Cyber Quoting to provide insight into coverage limit adequacy and potential loss gaps
Zywave announced an enhancement to its Cyber Quoting solution with the addition of embedded benchmarking. Brokers can now leverage industry data and loss profiles from similar organizations to provide their clients with more sophisticated insight into coverage limit adequacy and…
AWS security essentials for managing compliance, data protection, and threat detection
AWS offers a comprehensive suite of security tools to help organizations manage compliance, protect sensitive data, and detect threats within their environments. From AWS Security Hub and Amazon GuardDuty to Amazon Macie and AWS Config, each tool is vital in…
How AI will shape the next generation of cyber threats
In this Help Net Security interview, Buzz Hillestad, CISO at Prismatic, discusses how AI’s advancement reshapes cybercriminal skillsets and lowers entry barriers for potential attackers. Hillestad highlights that, as AI tools become more accessible, organizations must adapt their defenses to…
Consumer privacy risks of data aggregation: What should organizations do?
In September 2024, the Federal Trade Commission (FTC) released an eye-opening report that digs into the data habits of nine major tech giants, including Amazon (Twitch), ByteDance (TikTok), Discord, Facebook, Reddit, Snap, Twitter, WhatsApp, and YouTube. The findings reveal extensive,…
Atakama introduces DNS filtering designed for MSPs
Atakama announced the latest expansion of its Managed Browser Security Platform, introducing DNS filtering explicitly designed for Managed Service Providers (MSPs). This new feature enables comprehensive in-browser and network-level filtering, providing a full-spectrum DNS solution that secures browsers and entire…
All Google Cloud users will have to enable MFA by 2025
Google has announced that, by the end of 2025, multi-factor authentication (MFA) – aka 2-step verification – will become mandatory for all Google Cloud accounts. “Given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining…
GoZone ransomware accuses and threatens victims
A new ransomware dubbed GoZone is being leveraged by attackers that don’t seem to be very greedy: they are asking the victims to pay just $1,000 in Bitcoin if they want their files decrypted. The GoZone HTML ransom note (Source:…
Authlete 3.0 empowers organizations to improve how they issue and manage user credentials
Authlete launched Authlete 3.0, offering support for OpenID for Verifiable Credential Issuance (OID4VCI). This new capability empowers organizations—including governments, financial institutions, and educational establishments—to revolutionize how they issue and manage user credentials. With the introduction of Authlete 3.0, Authlete now…
Symbiotic provides developers with real-time feedback on potential security vulnerabilities
Symbiotic Security launched a real-time security for software development that combines detection and remediation with just-in-time training – incorporating security testing and training directly into the development process without breaking developers’ workflows. Backed with $3 million of seed funding from…
The cybersecurity gender gap: How diverse teams improve threat response
In this Help Net Security interview, Julie Madhusoodanan, Head of CyberSecurity at LinkedIn, discusses how closing the gender gap could enhance cybersecurity’s effectiveness in combating emerging threats. With women still underrepresented in cybersecurity roles, she emphasizes how diverse teams bring…
Osmedeus: Open-source workflow engine for offensive security
Osmedeus is an open-source workflow engine designed for offensive security. It serves as a versatile foundation, enabling users to easily create customized reconnaissance systems and scale them across extensive target lists. Osmedeus key features Speed up your recon process Organize…
Key cybersecurity predictions for 2025
In this Help Net Security video, Chris Gibson, CEO at FIRST, discusses the evolving threat landscape and provides a unique take on where data breaches and cyber attacks will be in 2025. The post Key cybersecurity predictions for 2025 appeared…
Identity-related data breaches cost more than average incidents
Identity-related data breaches are more severe and costly than run-of-the-mill incidents, according to RSA. 40% of respondents reported an identity-related security breach. Of those, 66% reported it as a severe event that affected their organization. 44% estimated that the total…
Beware of phishing emails delivering backdoored Linux VMs!
Unknown attackers are trying to trick Windows users into spinning up a custom Linux virtual machine (VM) with a pre-configured backdoor, Securonix researchers have discovered. The campaign The attack began with a phishing email, they believe, but they weren’t able…
Lumifi acquires Critical Insight to boost incident response capabilities
Lumifi announces the acquisition of Critical Insight, marking its third acquisition in 13 months. This strategic move expands Lumifi’s service offerings and strengthens its presence in the healthcare and critical infrastructure cybersecurity sector. The acquisition adds to Lumifi’s existing offerings,…
Google patches actively exploited Android vulnerability (CVE-2024-43093)
Google has delivered fixes for two vulnerabilities endangering Android users that “may be under limited, targeted exploitation”: CVE-2024-43047, a flaw affecting Qualcomm chipsets, and CVE-2024-43093, a vulnerability in the Google Play framework. The exploited vulnerabilities (CVE-2024-43047, CVE-2024-43093) Qualcomm patched CVE-2024-43047…
Report: Voice of Practitioners 2024 – The True State of Secrets Security
In this study, GitGuardian and CyberArk reveal the stark reality of secrets management across 1,000 organizations. With 79% experiencing secrets leaks and an average remediation time of 27 days, the findings expose critical gaps between security confidence and reality. Learn…
BigID DSPM Starter App enhances data security posture for Snowflake customers
BigID launched Data Security Posture Management (DSPM) Starter App, built natively in Snowflake and using the Snowflake Native App Framework. BigID’s DSPM Starter App will be available via Snowflake Marketplace and provide rapid data discovery and classification assessment natively in…
Open-source software: A first attempt at organization after CRA
The open-source software (OSS) industry is developing the core software for the global infrastructure, to the point that even some proprietary software giants adopt Linux servers for their cloud services. Still, it has never been able to get organized by…
Maximizing security visibility on a budget
In this Help Net Security interview, Barry Mainz, CEO at Forescout, discusses the obstacles organizations encounter in attaining security visibility, particularly within cloud and hybrid environments. He explains why asset intelligence—going beyond basic visibility to understand device behavior and risk—is…
AI learning mechanisms may lead to increase in codebase leaks
The proliferation of non-human identities and the complexity of modern application architectures has created significant security challenges, particularly in managing sensitive credentials, according to GitGuardian. Based on a survey of 1,000 IT decision-makers in organizations with over 500 employees across…
Cybersecurity jobs available right now: November 5, 2024
Application Security Engineer MassMutual | USA | Hybrid – View job details As an Application Security Engineer, you will conduct in-depth security assessments, including vulnerability scanning, and code reviews. Ensure secure coding practices are followed, and security controls are incorporated…
Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)
Synology has released fixes for an unauthenticated “zero-click” remote code execution flaw (CVE-2024-10443, aka RISK:STATION) affecting its popular DiskStation and BeeStation network attached storage (NAS) devices. About CVE-2024-10443 CVE-2024-10443 was discovered by Rick de Jager, a security researcher at Midnight…
IRISSCON 2024 to address AI’s dual impact on cybersecurity
The IRISSCERT Cyber Crime Conference (IRISSCON) returns on November 6th at the Aviva Stadium, where global cybersecurity leaders will explore AI’s revolutionary role in defending against and contributing to cyber threats. As Ireland’s longest-standing cybersecurity conference, IRISSCON 2024 will dive…
Hiring guide: Key skills for cybersecurity researchers
In this Help Net Security interview, Rachel Barouch, an Organizational Coach for VCs and startups and a former VP HR in both a VC and a Cybersecurity startup, discusses the dynamics of cybersecurity researchers and team-building strategies. She highlights that…
Cybersecurity in crisis: Are we ready for what’s coming?
In this Help Net Security video, James Edgar, CISO at Corpay, reveals insights into cybersecurity health, concerns, challenges, and other considerations for building a solid defense program. Key insights revealed in Corpay’s 2024 State of Business Cybersecurity Report: 67% of…
Whispr: Open-source multi-vault secret injection tool
Whispr is an open-source CLI tool designed to securely inject secrets from secret vaults, such as AWS Secrets Manager and Azure Key Vault, directly into your application’s environment. This enhances secure local software development by seamlessly managing sensitive information. Whispr…
Strong privacy laws boost confidence in sharing information with AI
53% of consumers report being aware of their national privacy laws, a 17-percentage point increase compared to 2019, according to Cisco. Informed consumers are also much more likely to feel their data is protected (81%) compared to those who are…
Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Patching problems: The “return” of a Windows Themes spoofing vulnerability Despite two patching attempts, a security issue that may allow attackers to compromise Windows user’s…
50% of financial orgs have high-severity security flaws in their apps
Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to Veracode. Financial sector apps…
How open-source MDM solutions simplify cross-platform device management
In this Help Net Security interview, Mike McNeil, CEO at Fleet, talks about the security risks posed by unmanaged mobile devices and how mobile device management (MDM) solutions help address them. He also discusses employee resistance to MDM and how…
OpenPaX: Open-source kernel patch that mitigates memory safety errors
OpenPaX is an open-source kernel patch that mitigates common memory safety errors, re-hardening systems against application-level memory safety attacks using a simple Linux kernel patch. It’s available under the same GPLv2 license terms as the Linux kernel. “We are pleased…
Threat actors are stepping up their tactics to bypass email protections
Although most organizations use emails with built-in security features that filter out suspicious messages, criminals always find a way to bypass these systems. With the development of AI technology, phishing is becoming increasingly difficult to recognize, allowing them to circumvent…
Infosec products of the month: October 2024
Here’s a look at the most interesting products from the past month, featuring releases from: Action1, Balbix, BreachLock, Commvault, Dashlane, Data Theorem, Edgio, ExtraHop, Fastly, Frontegg, GitGuardian, IBM, Ivanti, Jumio, Kusari, Legit Security, Metomic, Nametag, Neon, Nucleus Security, Okta, Qualys,…
Sophos mounted counter-offensive operation to foil Chinese attackers
Sophos conducted defensive and counter-offensive operation over the last five years with multiple interlinked nation-state adversaries based in China targeting perimeter devices, including Sophos Firewalls. Espionage campaigns tied to Chinese hacking groups The attackers used a series of campaigns with…
Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups
A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups urging users to connect their wallets, TradingView has reported. The pop-up (Source: Lottie Player…