Security News

CISA, the NSA, and MS-ISAC warned today in a joint advisory that attackers are increasingly using legitimate remote monitoring and management software for malicious purposes. More worryingly, CISA discovered malicious activity within the networks of multiple federal civilian executive branch agencies using the EINSTEIN intrusion detection system after the release of a Silent Push report in mid-October 2022.

An EMA survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. "Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from 'awareness' of AppSec to 'in-depth knowledge' and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers," Baker continued.

A financially motivated threat actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018.

The UK government is putting forward changes to the law which would require social media platforms to give users the option to avoid seeing and engaging with harmful - but legal - content. Presenting the amended Online Safety Bill to Parliament this week, Michelle Donelan, the minister for digital, culture, media and sport pledged to create a "Third shield" to protect users from harmful content.

Kali Linux images for Azure, QEMU. Kali Linux is now available in the Azure Marketplace, allowing you to deploy the image and perform penetration testing from the cloud. In reality, Kali Linux 2022.3 made it to Azure first, with the team tweeting its addition on August 30th, after 2022.3 was already released.

Offensive Security has released Kali Linux 2022.4, the latest version of its popular penetration testing and digital forensics platform. Aside from updates to existing tools, a new Kali version always delivers new tools.

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. Below you can find a collection of MITRE ATT&CK tools and resources available for free.

There are also more security options for what Teams product marketing director Caroline Stanford called "Cone of silence" meetings at the recent Microsoft Ignite conference; those are the digital version of board meetings, financial planning meetings or reviews of unannounced products in the office "With the blinds closed and the door locked." Plus, you can use Microsoft Purview Information Protection sensitivity labels to apply the right settings for specific kinds of meetings.

5 Kali Linux tools you should learn how to useKali Linux is a specialized Linux distribution developed by Offensive Security, designed for experienced Linux users who need a customized platform for penetration testing. Stop audience hijacking and defend against redirection to malicious websitesIn this Help Net Security video, Patrick Sullivan, CTO of Security Strategy at Akamai, talks about the threat of audience hijacking and offers protection tips.

Kali Linux is a specialized Linux distribution developed by Offensive Security, designed for experienced Linux users who need a customized platform for penetration testing. Kali Linux also comes with several hundred specialized tools for carrying out penetration testing, security research, computer forensics, reverse engineering, vulnerability management, and red team testing.