Week in review: 6 free resources for getting started in cybersecurity, Patch Tuesday forecast


Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

The misconceptions preventing wider adoption of digital signatures
In this Help Net Security interview, Thorsten Hau, CEO at fidentity, discusses the legal validity of qualified digital signatures, demonstrating their equivalence to handwritten signatures when backed by robust identity verification.

Shifting left and right, innovating product security
In this Help Net Security interview, Slava Bronfman, CEO at Cybellum, discusses approaches for achieving product security throughout a device’s entire lifecycle, fostering collaboration across business units and product lines, ensuring transparency and security in the supply chain, and meeting regulatory requirements while ensuring compliance.

Reaper: Open-source reconnaissance and attack proxy workflow automation
Reaper is an open-source reconnaissance and attack proxy, built to be a modern, lightweight, and efficient equivalent to Burp Suite/ZAP. It focuses on automation, collaboration, and building universally distributable workflows.

Atlas VPN zero-day allows sites to discover users’ IP address
Atlas VPN has confirmed the existence of a zero-day vulnerability that may allow website owners to discover Linux users’ real IP address.

Old vulnerabilities are still a big problem
A recently flagged phishing campaign aimed at delivering the Agent Tesla RAT to unsuspecting users takes advantage of old vulnerabilities in Microsoft Office that allow remote code execution.

LibreOffice: Stability, security, and continued development
LibreOffice, the most widely used open-source office productivity suite, has plenty to recommend it: it’s feature-rich, user-friendly, well-documented, reliable, has an active community of developers working on improving it, and it’s free.

How Chinese hackers got their hands on Microsoft’s token signing key
The mystery of how Chinese hackers managed to steal a crucial signing key that allowed them to breach Microsoft 365’s email service and access accounts of employees of 25 government agencies has been explained: they found it somewhere where it shouldn’t have been – Microsoft’s corporate environment.

Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061)
Apple has patched two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) exploited to deliver NSO Group’s Pegasus spyware.

LockBit leaks sensitive data from maximum security fence manufacturer
The LockBit ransomware group has breached Zaun, a UK-based manufacturer of fencing systems for military sites and critical utilities, by compromising a legacy computer running Windows 7 and using it as an initial point of access to the wider company network.

5 ways in which FHE can solve blockchain’s privacy problems
Blockchain technology has gained significant traction due to its decentralized nature and immutability, providing transparency and security for various applications, especially in finance.

Cybercriminals target MS SQL servers to deliver ransomware
A cyberattack campaign is targeting exposed Microsoft SQL (MS SQL) databases, aiming to deliver ransomware and Cobalt Strike payloads.

Connected cars and cybercrime: A primer
As our vehicles become more connected to the outside world, the attack surface available to cybercriminals is rapidly increasing, and new “smart” features on the current generation of vehicles worldwide open the door for new threats.

MacOS malware has a new trick up its sleeve
A newer version of the Atomic Stealer macOS malware has a new trick that allows it to bypass the operating system’s Gatekeeper, Malwarebytes researchers have discovered.

Emerging threat: AI-powered social engineering
Social engineering is a sophisticated form of manipulation but, thanks to AI advancements, malicious groups have gained access to highly sophisticated tools, suggesting that we might be facing more elaborate social engineering attacks in the future.

North Korean hackers target security researchers with zero-day exploit
North Korean threat actors are once again attempting to compromise security researchers’ machines by employing a zero-day exploit.

3 ways to strike the right balance with generative AI
To find the sweet spot where innovation doesn’t mean sacrificing your security posture, organizations should consider the following three best practices when leveraging AI.

Why end-to-end encryption matters
In this Help Net Security video, Kayne McGladrey, IEEE Senior Member and Field CISO at Hyperproof, discusses end-to-end encryption (E2EE).

September 2023 Patch Tuesday forecast: Important Federal government news
Microsoft addressed 33 CVEs in Windows 10 and 11 last month after nearly 3x that number in July.

Cyber talent gap solutions you need to know
In this Help Net Security video, Gene Fay, CEO at ThreatX, discusses how the limited exposure to educational resources focused on cyber is attributed to the talent shortage as consumers are less inclined to explore these careers.

6 free resources for getting started in cybersecurity
Cybersecurity is not just a career field on the rise – it’s a calling that’s increasingly vital to the infrastructure of our world.

How cybercriminals use look-alike domains to impersonate brands
In this Help Net Security video, Eric George, Director of Solution Engineering at Fortra, discusses why brands should take domain impersonation threats seriously and how security teams can counteract this issue.

Cybersecurity pros battle discontent amid skills shortage
The cybersecurity skills crisis continues in a multi-year freefall that has impacted 71% of organizations and left two-thirds of cybersecurity professionals stating that the job has become more difficult over the past two years—while 60% of organizations continue to deflect responsibility, according to a new report from ESG and ISSA.

Best practices for implementing a proper backup strategy
In this Help Net Security video, David Boland, VP of Cloud Strategy at Wasabi Technologies, discusses best practices for implementing a proper backup strategy.

Ransomware attacks go beyond just data
65% of organizations confirmed that ransomware is one of the top three threats to their viability, and for 13%, it is the biggest threat, according to a report by Enterprise Strategy Group (ESG) and Keepit.

Spam is up, QR codes emerge as a significant threat vector
85% of phishing emails utilized malicious links in the content of the email, and spam emails increased by 30% from Q1 to Q2 2023, according to a VIPRE report.

Avoidable digital certificate issues fuel data breaches
Among organizations that have suffered data breaches 58% were caused by issues related to digital certificates, according to a report by AppViewX and Forrester Consulting.

Global roaming fraud losses to surpass $8 billion by 2028
Losses from global roaming fraud are anticipated to exceed $8 billion by 2028; driven by the increase in bilateral roaming agreements for data-intensive use cases over 5G networks, according to Juniper Research.

Championing cybersecurity regulatory affairs with Nidhi Gani
The world of regulatory affairs for medical device manufacturers has undergone a seismic shift in recent years as regulators demand more reliability and transparency from medical device manufacturers– especially surrounding their cybersecurity.

CIS Benchmarks Communities: Where configurations meet consensus
Have you ever wondered how technology hardening guidelines are developed? Some are determined by a particular vendor or driven by a bottom-line perspective. That’s not the case with the CIS Benchmarks.

Infosec products of the month: August 2023
Here’s a look at the most interesting products from the past month, featuring releases from: Action1, Adaptive Shield, Bitdefender, Bitwarden, Forescout, ImmuniWeb, Kingston Digital, LastPass, Lineaje, LOKKER, Menlo Security, MongoDB, Netskope, NetSPI, OffSec, Qualys, SentinelOne, Solvo, SonarSource, SpecterOps, Synopsys, ThreatConnect, Traceable AI, and Vicarius.

New infosec products of the week: September 8, 2023
Here’s a look at the most interesting products from the past week, featuring releases from CyberSaint, Ghost Security, Hornetsecurity, NTT Security Holdings, and TXOne Networks.



Source link