AXIS firma l’impegno CISA per la cybersecurity: AXIS Communications annuncia l’adesione all’impegno Secure by Design promosso dalla Cybersecurity and Infrastructure Security Agency (CISA), confermando...
#AXISCommunications #SecurebyDesign #cybersecurity http://dlvr.it/TQpgxq

@boblord

An excellent follow-up article from Bob to the #hacklore interview. I particularly like the focus on #SecureByDesign and questioning the need for bolt-on, aftermarket solutions to product failures.

https://medium.com/@boblord/why-hacklore-persists-and-how-we-replace-it-985ac1065a98

This is not a "remote code execution (RCE) flaw". Executing code remotely is what the Villains did right. That's attacker-centric language. We need to focus on what the Vendor did wrong.

The software had a "weak authentication" flaw. #SecureByDesign

https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

🗓️ 04 Feb: Join our webinar exploring how organisations are using regulatory mandates as a catalyst to reduce O&M costs, protect brand equity, and turn #SecureByDesign into a measurable competitive advantage in the global market.

Register now: https://discover.claroty.com/webinar-forecasting-future-fortifications-apj

#SOCI #E8 #ANZ 🇦🇺🇳🇿

OpenAI has introduced ChatGPT Health, a dedicated environment for health-related AI interactions with purpose-built privacy controls.

Security-relevant highlights include:
• Data isolation from standard ChatGPT sessions
• Encryption at rest and in transit
• Explicit opt-in for third-party health apps
• No Health data used for foundation model training
• Immediate and final access revocation options

The feature reflects a growing push to align consumer AI tools with stricter data governance expectations in healthcare contexts.

From a security and privacy standpoint, what controls matter most here?

Source: https://cyberinsider.com/openai-launches-chatgpt-health-with-promises-of-strong-data-privacy/

Share your analysis and follow @technadu for security-aware tech reporting.

#HealthDataSecurity #AIPrivacy #Infosec #DataGovernance #SecureByDesign #HealthcareSecurity

🎯 Neues Jahr = Neue Jahresvorsätze

Viele technische Geräte sind von Beginn an nicht ausreichend gegen Cyberangriffe geschützt. Deshalb setzen wir uns für Secure by Design ein - IT-Sicherheit von Anfang an!

💪 Mehr als nur ein Vorsatz, sondern Pflichtprogramm.

Weitere Informationen und Tipps, wie ihr Cybersicherheit in 2026 von Beginn an mitdenken könnt, findet ihr auf unserer Webseite: bsi.bund.de

#SecureByDesign #CyberSecurity #Resilience

Built with hardened defaults for users who take privacy seriously.
Whonix delivers anonymity and security you can rely on.

#Whonix #PrivacyFirst #Anonymity #SecureByDesign #CyberSecurity #DigitalPrivacy

🎉 Big news! Early Bird tickets for OWASP Global AppSec Vienna 2026 are here!
25 years of OWASP ✨ Stunning Vienna 🇦🇹 World-class training 🧠 & a conference like no other 🔥
Why wait? Register now for early bird pricing: https://owasp.glueup.com/event/162243/register/
#appsec #owasp #cybersecurity #securebydesign

If containers are now the backbone of modern delivery, why are we still securing them as an afterthought? 🤔

This article walks through a bottom-up hardening process that removes unnecessary components, verifies everything from source, and gives teams a security posture that’s proactive.

🔗 : https://www.activestate.com/blog/container-security-best-practices-for-modern-devsecops-teams/?utm_source=mastodon&utm_medium=organic_social&utm_campaign=blog

#DevSecOps #ContainerSecurity #SoftwareSupplyChain #SecureByDesign #CloudNativeSecurity #CICD #PlatformEngineering #OpenSourceSecurity #ActiveState

Great read for tech leaders exploring shift-left security and new IT operating models. Join the discussion and share your view on early security adoption. #DigitalTransformationLeadership #CIOpriorities #EmergingTechnologyStrategy #ITOperatingModelEvolution #DataDrivenDecisionMakingInIT #ShiftLeft #SecureByDesign #LeadershipInTech
https://www.linkedin.com/pulse/shifting-left-embedding-security-development-sanjay-k-mohindroo--penac

Great read for tech leaders exploring shift-left security and new IT operating models. Join the discussion and share your view on early security adoption. #DigitalTransformationLeadership #CIOpriorities #EmergingTechnologyStrategy #ITOperatingModelEvolution #DataDrivenDecisionMakingInIT #ShiftLeft #SecureByDesign #LeadershipInTech
https://www.linkedin.com/pulse/shifting-left-embedding-security-development-sanjay-k-mohindroo--penac

Kicksecure delivers a deeply hardened Linux environment with security-focused configurations applied by default. It’s built for users who demand verified protection from the ground up.

#Kicksecure #SecurityHardened #LinuxSecurity #SecureByDesign #CyberProtection

From humble beginnings to a globally trusted security platform, Whonix continues to protect privacy every day.

#Whonix #Anniversary #CyberDefense #PrivacyByDefault #SecureByDesign #TorNetwork #DigitalProtection

With a dual-VM architecture and Tor routing, Whonix blocks even sophisticated spying and monitoring tactics.

#Whonix #SpyProtection #AnonymityOnline #SecureByDesign #NoIPLeaks #CyberDefense #PrivacyTools

Maximum Anonymity
With Whonix, your real IP never touches the internet, every connection is routed through a secure, leak-proof system.

#Whonix #AnonymityOnline #NoIPLeaks #PrivacyByDefault #SecureByDesign #TorPowered #CyberDefense

Software risk have changed. Modern security means continuous, identity-centric, AI-aware threat modeling woven into CI/CD and design practices. https://jpmellojr.blogspot.com/2025/12/why-ai-and-cloud-native-are-security.html #CloudSecurity #ThreatModeling #AIsecurity #SecureByDesign #CSA

Secure by Design. Privacy by Default.
Whonix is built on Kicksecure-hardened Debian and runs inside VMs — so your IP, identity & data stay protected.

#Whonix #CyberSecurity #Kicksecure #PrivacyMatters #SecureByDesign #PrivacyByDefault #Anonymity #TorNetwork #VMsecurity #DataProtection #CyberDefense #SecurityHardened #OpenSourceSecurity #DigitalPrivacy

Enhancing the software supply chain starts long before code reaches a scanner. It begins with the quality of the open-source components you bring into your ecosystem.

In our latest post, we break down why upstream integrity matters now and how a curated, source-built catalog is becoming a quiet advantage for more resilient software supply chains.

Link to post: https://www.activestate.com/resources/quick-reads/top-benefits-of-software-supply-chain-security-tools

#SoftwareSupplyChain #OpenSourceSecurity #SupplyChainSecurity #SecureByDesign #DevSecOps #AppSec

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, new malware campaigns, actively exploited vulnerabilities, and a push to dispel common security myths. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- Pro-Ukraine hacktivists from the Ukrainian Cyber Alliance (UCA) claim to have severely disrupted Donbas Post, a Russian state-owned postal operator in occupied eastern Ukraine, wiping over 1,000 workstations, 100 virtual machines, and several dozen terabytes of data.
- Harvard University disclosed a data breach affecting alumni, donors, and staff, stemming from a voice phishing attack on its Alumni Affairs and Development systems, exposing personal details but no financial or password data.
- Real-estate finance services giant SitusAMC reported a data breach impacting corporate data and some client customer data, though business operations were unaffected and no encrypting malware was deployed.
- Media conglomerate Cox Enterprises confirmed data theft affecting 9,479 individuals from its Oracle E-Business instances, attributed to the Clop ransomware gang's exploitation of Oracle software.

🗞️ The Record | https://therecord.media/hackers-knock-out-systems-russia-operated-post-ukraine
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/harvard-university-discloses-data-breach-affecting-alumni-donors/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/real-estate-finance-services-giant-situsamc-breach-exposes-client-data/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/23/infosec_news_in_brief/

New Threat Research & Malware Campaigns 🔍

- A new Shai-Hulud supply-chain campaign has infected nearly 500 npm packages, including popular ones like Zapier and ENS Domains, stealing developer and CI/CD secrets and leaking them to automatically generated GitHub repositories.
- Chinese state-sponsored APT 31 (Violet Typhoon) has been observed attacking Russian cloud environments, specifically targeting IT sector contractors for government agencies, using a mix of common and custom malware for persistent access and credential theft.
- ShadowPad malware, a modular backdoor linked to Chinese state-sponsored groups, is actively exploiting CVE-2025-59287, a critical deserialization flaw in Microsoft WSUS, to gain system-level remote code execution and install its payload.
- ESET researchers uncovered the Chinese-aligned PlushDaemon APT group deploying "EdgeStepper," a network implant that hijacks DNS traffic to malicious nodes, enabling the delivery of malicious software updates in adversary-in-the-middle attacks.
- CISA issued an alert warning about commercial spyware actively targeting mobile messaging applications, leveraging sophisticated social engineering, zero-click exploits, and malicious QR codes to compromise high-value individuals.
- New ClickFix attack variants are using highly deceptive fake Windows Update screens and steganography (embedding malware in PNG image pixel data) to trick users into executing commands that deploy LummaC2 and Rhadamanthys information stealers.
- CrowdStrike research revealed that the Chinese DeepSeek-R1 AI model generates significantly more insecure code (up to 50% increase in severe vulnerabilities) when prompts contain politically sensitive topics like Tibet or Uyghurs, highlighting potential geopolitical biases in AI outputs.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/asia_tech_news_roundup/
📰 The Hacker News | https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/23/infosec_news_in_brief/
🤫 CyberScoop | https://cyberscoop.com/cisa-alert-draws-attention-to-spywares-targeting-of-messaging-apps/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/clickfix-attack-uses-fake-windows-update-screen-to-push-malware/
📰 The Hacker News | https://thehackernews.com/2025/11/chinese-ai-model-deepseek-r1-generates.html

Critical Vulnerabilities & Exploitation ⚠️

- Five "trivial-to-exploit" vulnerabilities, including RCE and an 8-year-old path traversal flaw (CVE-2025-12972), were discovered in Fluent Bit, an open-source log collection tool widely used across major cloud providers and AI labs.
- These Fluent Bit flaws, if chained, could allow attackers to bypass authentication, achieve remote code execution, cause denial-of-service, manipulate tags, and potentially lead to full node and cluster takeover in Kubernetes environments.
- A years-old remote code execution (RCE) flaw (CVE-2025-64756, CVSS 7.5) was found in the CLI tool of the `glob` file pattern matching library, which is a universal part of the JavaScript stack, allowing malicious filenames to be executed as code on POSIX systems when the `-c` flag is used.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/fluent_bit_cves/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/23/infosec_news_in_brief/

Regulatory Shifts & Software Liability ⚖️

- The UK's Business and Trade Committee has urged the government to introduce liability for software developers, incentivise business investment in cyber resilience, and mandate reporting of all malicious cyber incidents to bolster economic security.
- The Federal Communications Commission (FCC) has controversially reversed cybersecurity rules introduced after the Chinese Salt Typhoon espionage campaign, which aimed to force telecom carriers to harden their lawful intercept and other sensitive systems.
- Critics, including FCC Commissioner Anna Gomez and the Electronic Privacy Information Center (EPIC), warn that abandoning these enforceable requirements leaves the US less secure and creates a "safe harbor for insecure cybersecurity practices."

🗞️ The Record | https://therecord.media/software-companies-liable-britain-security
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/fcc_salt_typhoon_rules/

Debunking Cyber Myths & SBOM Challenges 🛡️

- A new initiative, Hacklore.org, launched by former CISA officials and over 80 cybersecurity professionals, aims to dispel common "hacklore" myths (e.g., frequent password changes, avoiding public Wi-Fi) in favour of practical, evidence-based advice like MFA, password managers, and timely updates.
- The initiative also advocates for software manufacturers to adopt "secure by design" and "secure by default" principles, committing to publishing roadmaps and timely CVE records to improve overall software security.
- Despite government efforts, Software Bills of Materials (SBOMs) adoption remains sluggish in the private sector, with experts divided on whether the rapid advance of AI-assisted coding will make SBOMs obsolete by generating vulnerability-free software, or if AI will simply introduce new complexities.

🤫 CyberScoop | https://cyberscoop.com/this-campaign-aims-to-tackle-persistent-security-myths-in-favor-of-better-advice/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/hacklore_launch/
🤫 CyberScoop | https://cyberscoop.com/sbom-adoption-challenges-ai-coding-transparency/

Operational Security Blunder 🤦‍♀️

- The International Association for Cryptologic Research (IACR) must re-run its election for new board members after one of three trustees "irretrievably lost their private key," preventing the joint decryption of electronic voting results.
- This incident highlights a critical operational security failure in a system designed for multi-party control, underscoring the human element in cryptographic key management.
- The IACR plans to adopt a two-out-of-three threshold mechanism for key management and a clearer written procedure to prevent future occurrences.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/24/cryptologic_research_election_rerun/

#CyberSecurity #ThreatIntelligence #CyberAttack #DataBreach #Malware #Ransomware #SupplyChainAttack #Vulnerability #RCE #ZeroDay #APT #NationState #AI #SecureByDesign #SBOM #InfoSec #IncidentResponse

SonicWall acts after backup breach as state actors target cloud files

SonicWall has concluded an investigation into a security incident involving the unauthorised access of backup firewall configuration files…
#NewsBeep #News #Headlines #APISecurity #ChiefInformationOfficer(CIO) #DisasterRecovery(DR) #Firewalls #Latvia #LV #Mandiant #NetworkSecurity #Ransomware #SecurebyDesign #SecurityOperations #SonicWALL #Threatactors
https://www.newsbeep.com/262939/