Security News

Keep your business totally secure with this decentralized VPN We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This pocket-size device is small enough to take anywhere, and it provides VPN protection through a decentralized network.

Nicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution when PowerShell is available to unidentified attackers. Based on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 - to permit a remote actor to execute arbitrary code.

Australian telecom giant Optus on Monday confirmed that nearly 2.1 million of its current and former customers suffered a leak of their personal information and at least one form of identification number as a result of a data breach late last month. "Approximately 1.2 million customers have had at least one number from a current and valid form of identification, and personal information, compromised," Singtel said in an announcement made on its website.

The president of casual Japanese chain restaurant Kappa Sushi resigned yesterday in the wake of a data-theft scandal that has rocked the world of sushi trains. Before he became boss of Kappa Sushi, Tanabe led rival discount sushi establishment Hama Sushi - which has accused Tanabe of stealing trade secrets by accessing data caches that reveal how it slices the price of nigiri to just 75 cents.

The pros and cons of OSS. The challenge of OSS security is that just because everyone can look at the source code, it does not mean anyone will. A recent report from the Linux Foundation found that the average number of outstanding critical vulnerabilities in an application is 5.1, and that 41% of organizations are not confident in their open source software security.

In this Help Net Security video, David Samuelson, CEO at ISACA, talks about how enterprises approach digital trust. While nearly 98% of respondents to an ISACA survey say that digital trust is essential, and 63% say that digital trust is relevant to their jobs, only 12% of their organizations have a dedicated staff role for digital trust.

To withstand cyberattacks, businesses must continually update internal systems and avoid hasty tech upgrades that might open the door to attackers. In this Help Net Security video, Phillip Verheyden, Security Engineer at Shipwell, discusses the challenges technology organizations face when investing in cybersecurity and offers tips for CISOs, from securing development to dealing with phishing attacks.

In recent years organizations such as NIST and Microsoft have abandoned this longstanding best practice and are now recommending against mandatory password expiration. From Microsoft's perspective it is far better for a user to create a strong but unchanging password than to simply create a password that barely adheres to the organization's minimal password requirements and then make small changes to that password each time that the organization requires the password to be changed.

Incident responders are primarily driven by a strong sense of duty to protect others. The global survey of over 1100 cybersecurity incident responders in 10 markets revealed trends and challenges that incident responders experience due to the nature of their profession.

In this Help Net Security video, Austin Jones, Principal Software Engineer at ThreatX, explains what HTTP request smuggling is, and discusses a recently uncovered HTTP request smuggling vulnerability in Node.js. This vulnerability allows an attacker to bypass security controls on the target server to conduct any nefarious activities.