Security

by Paul Ducklin Remember all those funkily named bugs of recent memory, such as Spectre, Meltdown, F**CKWIT and RAMbleed? Very loosely speaking, these types of bug – perhaps they’re better described as “performance costs” – are a side effect of the ever-increasing demand for ever-faster CPUs, especially now that the average computer or mobile phone

A cloud misconfiguration at a leading security services multinational has exposed the details of countless airport staff across South America, according to a new report. A team at AV comparison site Safety Detectives found an Amazon Web Services S3 bucket wide open without any authentication required to view the contents. After notifying the owner, Swedish

by Paul Ducklin Typefaces can be a tricky business, both technically and legally. Before word processors, laser printers and digital publishing, printed materials were quite literally “set in metal” (or wood), with typesetters laying out lines and pages by hand, using mirror-image letters cast on metal stalks (or carved into wooden blocks) that could be

The US government has effectively stripped another Chinese telecoms player of its license to operate in the country on national security grounds. The new Federal Communications Commission (FCC) order ends the ability of China Unicom Americas to provide telecoms services within the US. It follows a March 2021 finding by the FCC in which it

by Paul Ducklin Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on. In fact, that vulnerability, now known as CVE-2022-22594, showed up in

New research from managed detection and response (MDR) provider Expel found that most ransomware attacks in 2021 were self-installed.  The finding was included in the company’s inaugural annual report on cybersecurity trends and predictions, Great eXpeltations, published on Thursday.  Researchers found eight out of ten ransomware infections occurred after victims unwittingly opened a zipped file containing malicious

by Paul Ducklin A Naked Security reader in the UK alerted us to a scam they received this afternoon in a text message. The message claimed to come from the NHS, Britain’s National Health Service, which administers coronavirus vaccinations and provides free testing throughout the country: As you probably know, PCR tests, which currently require

The Federal Bureau of Investigation (FBI) has issued a Private Industry Notice on protecting against malicious activity by Iranian cyber company Emennet Pasargad (formerly known as Eeleyanet Gostar). Two Iranian nationals employed by the company were indicted on October 20 2021 by a grand jury in the US District Court for the Southern District of New York

by Paul Ducklin You’ve probably had 42 emails already this week to tell you this… …but we’re going to say it anyway: “Happy Data Privacy Day!” Don’t panic. We’re not going to assail you with an academic argument about asserting your privacy, or provoke you with a polemic positing that privacy and a private life

The National Cyber Security Centre (NCSC) has warned UK organizations to prepare for Russian cyber-attacks amid ongoing geopolitical tensions in Ukraine. The new guidance follows numerous malicious cyber-incidents in Ukraine in the past month, which the NCSC said corresponds with past Russian behavior. These include more than a dozen Ukrainian government websites getting taken offline in a cyber-attack, while

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A leading maker of network-attached storage (NAS) devices is urging customers to upgrade to the latest software version and reconfigure their systems in order to thwart a new ransomware campaign. Taiwan vendor QNAP released a statement yesterday in response to the mounting threat from a new variant known as “DeadBolt.” It advised customers to ensure their

by Paul Ducklin Researchers at Qualys have revealed a now-patched security hole in a very widely used Linux security toolkit that’s included in almost every Linux distro out there. The bug is officially known as CVE-2021-4034, but Qualys has given it a funky name, a logo and a web page of its own, dubbing it

There’s been a 29% increase in the number of vulnerabilities exploited by ransomware groups to compromise their targets over the past year, according to a new industry report. The Ransomware Spotlight Year End Report was written by security vendors Ivanti and Cyware alongside CVE numbering authority Cyber Security Works. It’s compiled from multiple data sources, including Ivanti and

by Paul Ducklin Many countries have taxation forms with names that have entered the general vocabulary, notably the abbreviations of documents that employers are obliged to provide to their staff to show how much money they were paid – and, most importantly, how much tax was already witheld and paid in on the employee’s behalf.

Security experts have stood up for cybersecurity whistleblowers after a report on Monday claimed a senior employee at a well-known carmaker was fired after raising concerns about fraud. The Volkswagen staffer was dismissed weeks after raising the alarm about possible vulnerabilities in the company’s payments platform, Volkswagen Payments SA, which JP Morgan bought a 75%

by Naked Security writer Russian news agency Tass reported over the weekend that the “purported founder” of a notorious cybercrime group known as Infraud Organisation has been arrested. Naked Security first wrote about law enforcement action against this crime crew almost three years ago, back in February 2018, when the US Department of Justice (DOJ)

The volume of publicly reported data compromises in the US soared 68% year-on-year to a record high of 1862, according to new data from the Identity Theft Resource Center (ITRC). The non-profit said the figure was 23% higher than the previous record, set in 2017. The number of victims was down 5%, continuing a recent trend

Pennsylvania has approved new legislation barring state and local governments from using taxpayers’ money to pay ransoms to cyber-criminals.  Senate Bill 726, amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, was approved by the Pennsylvania Senate on Wednesday. The legislation has now advanced to the House of Representatives for further consideration. The amendment defines ransomware

A man from Connecticut has been arrested on suspicion of using digital devices to record his neighbors.  Waterford resident Keith Hancock allegedly recorded 10 victims from outside their homes, two of whom were juveniles. Six of the individuals were filmed while undressing.  Hancock is also suspected of recording more victims while inside his home on Overlook Drive. 

by Paul Ducklin Maltese cryptocoin broker Foris DAX MT Ltd, better known by its domain name Crypto.com, experienced a multi-million dollar “bank robbery” earlier this month. According to a brief security report published yesterday, 483 customers experienced ghost withdrawals totalling just over 4800 Ether tokens, just over 440 Bitcoin tokens, and just over $66,000 in

Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks. The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today. However, the

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Cybersecurity researchers in Canada have found a “devastating flaw” in the MY2022 app, designed for use by attendees of this year’s Winter Olympic Games in Beijing. The vulnerability was discovered by the Citizen Lab – an academic research laboratory based at the Munk School of Global Affairs at the University of Toronto. In findings published Tuesday, researchers said that the flaw

The UK government has announced plans to crack down on the advertising of cryptocurrency products to prevent consumers from being misled into purchases. The Treasury claimed that around 2.3 million people in the country now own some form of “cryptoasset,” but that understanding of these financial products is declining. That could lead to them being

by Paul Ducklin Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple’s web browser software. Technically, the bug exists in Apple’s open source WebKit browser engine, which means it affects any browser that relies on WebKit. As you might expect, this includes all versions of Apple’s own

A Tennessee-based healthcare technology services company is facing legal action over a cyber-attack that occurred in August 2021. The class action lawsuit was filed against QRS Healthcare Solutions (QRS, Inc), an electric health record (EHR) vendor and provider of integrated practice management and clinical services, including electronic patient portals. On August 26 2021, QRS discovered

by Paul Ducklin A UK-based scammer who preyed on nearly 700 women and conned nine of them out of £20,000 (about $27,000), has been sent to prison. London resident Osagie Aigbonohan, 41, pleaded guilty to charges of fraud and money laundering, including scamming £9500 out of one victim in the course of a fake 10-month

Microsoft has detected a major malware wiper campaign targeting government, IT and non-profit organizations across Ukraine. Dubbed “WhisperGate,” the attacks were first spotted on January 13, at around the same time that over a dozen government websites were forced offline in what was described as a “massive” cyber-attack. Although Microsoft said it had not noticed any links

by Paul Ducklin You’ve probably seen the news, even if you’re not sure what happened. Unless you’re a JavaScript programmer and you relied on either or both of a pair of modules called faker.js and colors.js. If you were a user of either of those projects, and if you are (or were!) inclined to accept