Security News > 2023 > August

The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules: Public companies must “disclose any cybersecurity...

Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. The Texas-based cybersecurity firm said the company acts as a command-and-control provider, which provides attackers with Remote Desktop Protocol virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors.

An Australian Senate Committee has recommended banning Chinese social media apps in the land down under, on grounds the Communist Party of China uses them to spread propaganda and misinformation. The Select Committee on Foreign Interference through Social Media yesterday filed its final report [PDF] which outlines the reason the committee convened: social media has become the public square in which policy debate tales place, but "Is increasingly being weaponized to spread disinformation to deliberately mislead or obscure the truth for malicious or deceptive purposes." Plenty of that disinformation comes from foreign powers, "As part of a broader, integrated strategic campaign to advance their own national interests at Australia's expense."

The overarching mission of the US-based non-profit organization the Tor Project is to advance human rights and make open-source, privacy preserving software available to people globally, so that they can browse the internet privately, protect themselves against surveillance and bypass online censorship. To infosec professionals The Tor Project doesn't need an introduction, but there's always other people out there who have never heard of it.

In this Help Net Security interview, Attila Török, CISO at GoTo, discusses how to balance technical expertise and leadership and how he navigates the rapidly evolving technological landscape. In your opinion, what are the key characteristics of an effective CISO? How do you balance technical expertise and leadership skills?

"Technology is accelerating at a breakneck pace - bringing sophisticated new tools to both attackers and defenders. And although attacker tools are evolving, social engineering continues to be the leading tactic used to breach corporate networks," said Noopur Davis, EVP, Chief Information Security and Product Privacy Officer, Comcast Corporation and Comcast Cable. The report leverages data from 23.5 billion cybersecurity attacks, spanning 500 threat types and 900 distinct infrastructure and software vulnerabilities.

Advanced persistent threat actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The exact identity or origin of the threat actor remains unclear.

SpecterOps released version 5.0 of BloodHound Community Edition, a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory and Azure environments. "The way that BloodHound Community Edition maps out Attack Paths in AD and Azure is unique - there isn't another tool that can find hidden and unintentional relationships to identify complex Attack Paths that attackers can exploit. After this update, the tool will offer a user experience closer to an enterprise-grade product than an open-source tool," Andy Robbins, co-creator of BloodHound and a Principal Product Architect at SpecterOps, told Help Net Security.

As a result of growing access to easy-to-use generative AI tools such as OpenAI's ChatGPT, malicious actors can now attempt more sophisticated attacks with alarming simplicity and regularity. Email continued to be the main vector for delivering malicious content, with as many as 1 in every 100 emails sent in the first half of 2023 found to be malicious.

CEO, fresh with funds, lays out the dependency dilemma Interview Open source security biz Socket is extending its source code dependency checker, which previously addressed only JavaScript and...