Security News > 2022 > September

GitLab released the results of its annual DevSecOps survey which highlights the continued prioritization of security and compliance, investment in toolchain consolidation, and the ongoing impacts of rapid DevOps adoption. This Help Net Security video reveals how organizations continue to consolidate their DevOps toolchains and processes.

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up. Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos.

Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers - albeit in a roundabout way. The malware "Incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system," Securonix's D. Iuzvyk, T. Peck, and O. Kolesnikov wrote in a report this week.

In this interview for Help Net Security, Katie Taitler, Senior Cybersecurity Strategista at Axonius, talks about cyber threats in the energy sector and what should be improved to make sure this sector is properly guarded. What are the reasons the energy sector is so unprepared for these growing cyber threats?

Given inflation and economic uncertainty, the cybersecurity industry is starting to experience budget cuts, despite a surge in ransomware attacks. As more budgets are going under the microscope, and in some cases, on the chopping block, one of the best ways for security leaders to protect their program is to ensure alignment with their executive teams and boards.

This attack and many others reinforce the importance of an effective Privileged Access Management framework that enforces the principle of least privilege with Just-in-Time privilege elevation. Reasons why you need Just-in-Time privilege elevation Minimize attack surface.

LabMD, the embattled and now defunct cancer-testing company, will get another chance at suing security firm Tiversa for defamation following an appeals court ruling. The testing laboratory has long alleged that: Tiversa illegally obtained a 1,178-page computer file containing confidential data on more than 9,000 LabMD patients back in 2008; lied about the file being publicly available on a peer-to-peer file-sharing network and that it was downloaded by miscreants; and tried to use this alleged privacy fiasco to bully the medical company into paying for Tiversa's incident response services to the tune of $475 an hour.

KELA surveyed 400 security team members in the US who were responsible for gathering cybercrime threat intelligence daily to better understand if they're proactively scanning the dark web and other cybercrime sources, what tools they're using, the gaps they see in their cybercrime threat intelligence approach, and more. "We found organizations may be less prepared for threats emerging from the cybercrime underground than they should be," said David Carmiel, CEO of KELA. "At KELA, our extensive intelligence expertise has shown us just how complex the cybercrime underground really is. The threats are much more comprehensive, and what organizations know and refer to as the dark web is changing within the hour."

Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild. An anonymous researcher has been credited for reporting the vulnerability.

Scrut Risk Management is an assessment tool that combines all required elements of risk management, including mapping standard specific controls to risks, tracking compliance progress against each mitigated risk, and computing inherent and residual risk - under one umbrella. Halo Security platform combines external asset risk and vulnerability assessment, and penetration testing services to provide organizations complete visibility into the risk posture of their internet-exposed assets on an on-going basis.