Security News

Cybersecurity Ventures reported there are 3.5 million unfilled cybersecurity positions worldwide this year, and 750,000 of them are in the U.S. In an attempt to address this, as well as the lack of diversity in cybersecurity, Google is offering a Cybersecurity Certificate training program for anyone, including those with no background in coding or computer science. The company said the Google Cybersecurity Certificate, part of the Google Career Certificates portfolio of Coursera classes, offers an alternative to high-ticket collegiate training in cybersecurity, which is a slow pipeline with a high cost of entry.

As part of Google's commitment to building a strong cybersecurity workforce, the Google Cybersecurity Certificate offers an affordable and accessible pathway to a career in cybersecurity. Despite the urgent need to address this threat, there are currently more than 750,000 unfilled cybersecurity jobs in the U.S. We launched the new Cybersecurity Certificate to help employers fill critical roles, and to level the playing field for people of all backgrounds to enter the cybersecurity workforce.

Self-hosted web administration solution CloudPanel was found to have several security issues, including using the same SSL certificate private key across all installations and unintentional overwriting of firewall rules to default to weaker settings. Attackers would need to find fresh CloudPanel installations to exploit this problem, which is made possible by the third issue discovered by Rapid7.

Microsoft's WinGet package manager is currently having problems installing or upgrading packages after WinGet CDN's SSL/TLS certificate expired. The problem appears to be connected to WinGet CDN's SSL/TLS certificate that has now expired.

Simply put: someone used a pre-generated access code acquired from who-knows-where to leech the contents of various source code repositories that belonged to GitHub itself. In the case of stolen source code databases, whether they're stored on GitHub or elsewhere, there's always the risk that a private repository might include access credentials to other systems, or let cybercriminals get at code signing certificates that are used when actually building the software for public release.

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. The Microsoft-owned subsidiary said it detected unauthorized access to a set of deprecated repositories used in the planning and development of GitHub Desktop and Atom on December 7, 2022.

GitHub says unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories. GitHub has found no evidence that the password-protected certificates were used for malicious purposes.

Portainer smooths out the rather steep learning curve of Kubernetes, making it considerably easier for your teams to manage namespaces, networks, pods, ingresses, Helm, ConfigMaps & Secrets, Volumes and even the cluster. My go-to method of deploying Portainer is via a Microk8s cluster, which is the easiest method of getting Kubernetes support rolled into the web-based GUI; however, when deployed in this fashion, Portainer can be accessed either via HTTP or HTTPS and doesn't use SSL certificates.

It's December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw exploited by attackers to deliver a variety of malware. "A threat actor can craft a malicious file that would evade Mark of the Web defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging - for example, 'Protected View' in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality."

Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps. "A platform certificate is the application signing certificate used to sign the 'android' application on the system image," a report filed through the Android Partner Vulnerability Initiative reads.