Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

The US government and the Open Source Security Foundation have released guidance to shore up software supply chain security, and now it's up to developers to act.

Researchers Spot Snowballing BianLian Ransomware Gang Activity

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

4 Scenarios for the Digital World of 2040

Our digital future depends on the choices we make today. We need to invest in cybersecurity technologies and skills so that humanity can control its future.

Raspberry Robin Malware Connected to Russian Evil Corp Gang

Infections attributed to the USB-based worm have taken off, and now evidence links the malware to Dridex and the sanctioned Russian cybercriminal group Evil Corp.

AWS Tokens Lurking in Android, iOS Apps Crack Open Corporate Cloud Data

Thousands of corporate mobile apps developed by businesses for use by their customers contain hardcoded AWS tokens that can be easily extracted and used to access the full run of corporate data stored in cloud buckets.

The Makings of a Successful Threat-Hunting Program

Threat hunters can help build defenses as they work with offensive security teams to identify potential threats and build stronger threat barriers.

Ragnar Locker Brags About TAP Air Portugal Breach

TAP assures its customers that it stopped data theft in a recent cyberattack, but the Ragnar Locker ransomware group says it made off with user info.

Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organization's cloud attack surface.

Neopets Hackers Had Network Access for 18 Months

Neopets has confirmed that its IT systems were compromised from January 2021 through July 2022, exposing 69 million user accounts and source code.

Threat Actor Phishing PyPI Users Identified

"JuiceLedger" has escalated a campaign to distribute its information stealer by now going after developers who published code on the widely used Python code repository.

Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams

The expanding Internet of Things ecosystem is seeing a startling rate of vulnerability disclosures, leaving companies with a greater need for visibility into and patching of IoT devices.

New Guidelines Spell Out How to Test IoT Security Products

The proposed AMTSO guidelines offer a roadmap for comprehensive testing of IoT security products.

Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects

The insecurities exist in CI/CD pipelines and can be used by attackers to subvert modern development and roll out malicious code at deployment.

Apple Quietly Releases Another Patch for Zero-Day RCE Bug

Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.

(ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap

After a rigorous pilot program, the association's newest certification is officially operational. More than 1,500 pilot participants who passed the exam are on the path to full certification.

Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation

Cloud breaches are inevitable — and so is cloud ransomware. (Second of two parts.)

Closing the Security Gap Opened by the Rise of No-Code Tools

No-code startups such as Mine PrivacyOps say they offer best of both worlds — quick development and compliance with privacy laws.

Google Fixes 24 Vulnerabilities With New Chrome Update

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack

The ongoing campaign is spreading worldwide, using the lure of a fully functional Google Translate application for desktops that has helped the threat stay undetected for months.

James Webb Telescope Images Loaded With Malware Are Evading EDR

New Golang cyberattacks use deep space images and a new obfuscator to target systems — undetected.

The Pros and Cons of Managed Firewalls

Managed firewalls are increasingly popular. This post examines the strengths and weaknesses of managed firewalls to help your team decide on the right approach.

OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase

OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.

(ISC)² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative

(ISC)² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)² Certified in Cybersecurity" education and exams to 1 million people worldwide.

TikTok for Android Bug Allows Single-Click Account Hijack

A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.

The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks

While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)

SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform

Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Don't Let 'Perfect' Be the Enemy of a Good AppSec Program

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

Malicious Chrome Extensions Plague 1.4M Users

Analysts find five cookie-stuffing extensions, including one that's Netflix-themed, that track victim browsing and insert rogue IDs into e-commerce sites to rack up fake affiliate payments.

Chinese Hackers Target Energy Sector in Australia, South China Sea

The phishing campaign deploying a ScanBox reconnaissance framework has targeted the Australian government and companies maintaining wind turbines in the South China Sea.

Security Culture: An OT Survival Story

The relationship between information technology and operational technology will need top-down support if a holistic security culture is to truly thrive.

Cohesity Research Reveals that Reliance on Legacy Technology Is Undermining How Organizations Respond to Ransomware

Nearly half of respondents say their company relies on outdated backup and recovery infrastructure — in some cases dating back to the 1990s, before today's sophisticated cyberattacks.

Phishing Campaign Targets PyPI Users to Distribute Malicious Code

The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a "validation" process.

Building a Strong SOC Starts With People

A people-first approach reduces fatigue and burnout, and it empowers employees to seek out development opportunities, which helps retention.

Google Expands Bug Bounties to Its Open Source Projects

The search engine giant's Vulnerability Rewards Program now covers any Google open source software projects — with a focus on critical software such as Go and Angular.

Cerberus Sentinel Announces Acquisition of CUATROi

US cybersecurity services firm expands services in Latin America.

A Peek Into CISA's Post-Quantum Cryptography Roadmap

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap.

Receipt for €8M iOS Zero-Day Sale Pops Up on Dark Web

Documents appear to show that Israeli spyware company Intellexa sold a full suite of services around a zero-day affecting both Android and iOS ecosystems.

3 Ways No-Code Developers Can Shoot Themselves in the Foot

Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the technology can make it easy to make security mistakes.

Cyber-Insurance Firms Limit Payouts, Risk Obsolescence

Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd's of London continue to add restrictions, including excluding losses related to state-backed cyberattackers.

NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

The 3 Questions CISOs Must Ask to Protect Their Sensitive Data

CISOs must adopt a new mindset to take on the moving targets in modern cybersecurity.

Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls

After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cybersecurity measures.

LastPass Suffers Data Breach, Source Code Stolen

Researchers warned that cyberattackers will be probing the code for weaknesses to exploit later.

'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

'No-Party' Data Architectures Promise More Control, Better Security

Consumers gain control of their data while companies build better relationships with their customers — but third-party ad-tech firms will likely continue to stand in the way.

How DevSecOps Empowers Citizen Developers

DevSecOps can help overcome inheritance mentality, especially in low- and no-code environments.

Endpoint Protection / Antivirus Products Tested for Malware Protection

Six out of the eight products achieved an "A" rating or higher for blocking malware attacks. Reports are provided to the community for free.

Capital One Joins Open Source Security Foundation

OpenSSF welcomes Capital One as a premier member affirming its commitment to strengthening the open source software supply chain.

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

The "0ktapus" cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean, DoorDash and Mailchimp.

ReasonLabs Launches Free Online Security Tool to Power Secure Web Experience for Millions of Global Users

Online Security autonomously blocks malicious URLs, extensions, ad trackers, and pop-ups 24/7, protecting consumers from complex and rapidly evolving cyber threats online.

More Bang for the Buck: Cross-Platform Ransomware Is the Next Problem

As cryptocurrency valuations make strikes less lucrative, ransomware gangs like the new RedAlert and Monster groups are modifying their tools to attack across platforms.

Wyden Renews Call to Encrypt Twitter DMs, Secure Americans' Data From Unfriendly Foreign Governments

Following whistleblower complaint, Oregon senator renews commitment to passing bipartisan legislation to address the national security risks.

Senior-Level Women Leaders in Cybersecurity Form New Nonprofit

The Forte Group, which gained momentum as an informal organization during the pandemic, will offer career development and advocacy for women execs in cybersecurity as well as newcomers.

Cyberstarts Closes $60M in Seed Fund III

Venture firm hires former Splunk CEO to spearhead new GTM advisory board and help portfolio companies scale up.

The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks

According to new Venafi research, two-thirds of organizations have changed cyber strategy in response to war in Ukraine.

What You Need to Know About the Psychology Behind Cyber Resilience

Understanding how and why people respond to cyber threats is key to building cyber-workforce resilience.

Penetration Testing Market Worth $2.7B By 2027: MarketsandMarkets(TM) Report

Increase driven by increasingly sophisticated cyberattacks as well as increase in mobile-based business-critical applications, according to report.

Optiv's Annual $40K Scholarship for Black, African-American-Identifying STEM Students Now Open for Applicants

Optiv's Black Employee Network offers the scholarship, paid out over 4 years, for students seeking a career in the cybersecurity/information security industry.

New Exterro FTK Update Accelerates Mobile Digital Forensics

The FTK 7.6 portfolio promises better integration with other security and network resources, as well as unified analysis of mobile and computer evidence.