Week in review: OpenSSL critical fix, Medibank data breach, Apple fixes zero-day vulnerability

The week in security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Incoming OpenSSL critical fix: Organizations, users, get ready!
The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0).

Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827)
For the ninth time this year, Apple has released fixes for a zero-day vulnerability (CVE-2022-42827) exploited by attackers to compromise iPhones.

MyOpenVDP: Open-source web application to securely disclose vulnerabilities
MyOpenVDP is a turnkey open-source solution allowing anyone to host their own vulnerability disclosure policy (VDP). Developed by YesWeHack, the web application is available on GitHub.

How cybersecurity VCs find visionary companies in emerging sectors
33N Ventures is fundraising €150 million for investing in cybersecurity and infrastructure software companies across Europe, Israel, and the US. The fund will mostly target investments at Series A and B, with an average ticket size of around €10 million, and has an investment capacity of €20 million already committed by Alantra and its strategic partners.

Your CCTV devices can be hacked and weaponized
In this interview for Help Net Security, Camellia Chan, CEO at Flexxon, talks about the dangers of closed-circuit television (CCTV) hacks and what users can do to protect themselves.

Asset risk management: Getting the basics right
In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading.

Medibank data breach: More customers affected, attacker got in via stolen credentials
Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought.

Don’t wait for medical device cybersecurity legislation: Act now to save patients’ lives
Cyberattacks can cost lives — especially in the healthcare sector. Nearly a quarter of healthcare providers victimized by ransomware reported increased mortality rates following an attack, and 70% experienced longer hospital stays or procedure delays leading to poor patient outcomes.

The long-term psychological effects of ransomware attacks
Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organizations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected.

Shadowserver: Get free access to timely, critical Internet security data
In this Help Net Security video, Piotr Kijewski, CEO at The Shadowserver Foundation, talks about what they do and offers insight into their track record of delivering high-quality, actionable cyber threat intelligence for over 15 years.

Fill the cybersecurity talent gap with inquisitive job candidates
The impact of the Great Resignation and the Great Reshuffle is still strongly felt across many industries, including cybersecurity. There is a talent gap: Companies are struggling to hire enough talent to fulfill their needs and goals.

cert-manager: Automatically provision and manage TLS certificates in Kubernetes
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing, and using those certificates.

Mitigating the risks of artificial intelligence compromise
The number of cyberattacks directed at artificial intelligence (AI) continues to increase, and hackers are no longer planting malicious bugs within code – their techniques have become increasingly complex, allowing them to tamper with systems to compromise and “weaponize” AI against the organizations leveraging it for their operations.

DHL takes top spot in brand phishing attempts
Check Point Research has published its Brand Phishing Report for Q3 2022, which highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

Key observations on DDoS attacks in H1 2022
In this Help Net Security video, Juniman Kasman, CTO at Nexusguard, talks about how, while the total number of attacks did grow, the average (0.59 Gbps) and maximum (232.0 Gbps) attack sizes each decreased by 56% and 66.8%, respectively, during the same period.

Delivering visibility requires a new approach for SecOps
As the world watches the conflict with Russia unfold, cybersecurity defenders are working overtime. Defenders are being asked by key stakeholders, boards, and even CISA for transparency on how their organization is faring against cyberattacks.

To retain cybersecurity professionals, keep remote work as an option
(ISC)² highlighted a stark increase in the shortage of cybersecurity professionals as it announced the findings of its 2022 (ISC)² Cybersecurity Workforce Study.

What closed-source software developers can learn from their open-source counterparts
In this Help Net Security video, Josep Prat, Open Source Engineering Director at Aiven, illustrates how threat actors see greater use of open-source software as an opportunity, deploying new methods targeting tech professionals and open-source projects.

Protecting organizations by understanding end-of-life software risks
In this Help Net Security video, Keith Neilson, Technical Evangelist at CloudSphere, discusses how simply knowing what is in your IT estate does not guarantee that you understand what will cause chaos.

What consumers expect from organizations that handle their personal data
In this Help Net Security video, Robert Waitman, Privacy Director and Head of Privacy Research Program at Cisco, discusses the key findings of Cisco’s 2022 Consumer Privacy Survey.

Why dark data is a growing danger for corporations
In this Help Net Security video, Dannie Combs, SVP and CISO at Donnelley Financial Solutions, discusses why dark data represents a potential cybersecurity threat for global businesses.

Ghostwriter: Open-source project management platform for pentesters
In this Help Net Security video, Christopher Maddalena, Director of Internal and Community Product at SpecterOps, showcases Ghostwriter, which helps you manage clients, projects, reports, and infrastructure in one application.

Economic strife fuels cyber anxiety
The 2022 SonicWall Threat Mindset Survey found that 66% of customers are more concerned about cyberattacks in 2022, with the main threat being focused on financially motivated attacks like ransomware. In this Help Net Security video, Immanuel Chavoya, Threat Detection Expert at SonicWall, talks about the key survey findings.

Know the dangers you’re facing: 4 notable TTPs used by cybercriminals worldwide
In this Help Net Security video, Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry, talks about some of the most interesting tactics, techniques, and procedures employed by cybercriminals in recent months.

Social engineering attacks anybody could fall victim to
This Help Net Security video talks about what social engineering is, how can it be performed, and how can you fight against it.

Cloud security made simple in new guidebook for lean teams
In the ebook “The Lean IT Guide to Cloud Security”, Cynet describes what the optimal cloud security toolkit looks like, along with how lean security teams can take advantage of similar strengths without increasing staff or ballooning security spending.

A quick guide for small cybersecurity teams looking to invest in cyber insurance
In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it.

New infosec products of the week: October 28, 2022
Here’s a look at the most interesting products from the past week, featuring releases from ARMO, Array, AuditBoard, Illusive, Kasten by Veeam, Prove, SkyKick, and Socure.

More about

Don't miss