Security

by Paul Ducklin Today’s a Firefox Tuesday, when the latest version of Mozilla’s browser comes out, complete with all the security updates that have been merged into the product since the previous release. We used to call them Fortytwosdays, because Mozilla followed a six-weekly coding cycle, instead of monthly like Microsoft, or quarterly like Oracle,

Two brothers from Peru have admitted their role in an international call-center scam that defrauded Spanish-speaking immigrants to the United States.  Under the conspiracy, victims were called up and threatened with legal action or deportation if they didn’t buy certain educational products. The scam was perpetrated from a series of call centers in Peru, including

The United States has imprisoned a woman for her role in a child sexual abuse material (CSAM) subscription service that produced millions of images and videos of sexualized minors.  Patrice Eileen Wilowski-Mevorah of Tampa, Florida, was one of four people charged in August in connection with the Newstar Websites operated by Newstar Enterprise, out of Florida. Since then, two

by Paul Ducklin Two weeks ago, after three software audits and three months of live testing, a cryptocurrency startup called MonoX introduced what it described as “the premier bootstrap decentralized exchange, Monoswap”. In an announcement on 23 November 2021, the company declared: MonoX will revolutionize the DeFi ecosystem by fixing the capital inefficiencies of current

Nearly all railroads and airlines in the United States have been ordered to report cybersecurity breaches to the federal government.  Under the new Transportation Security Administration–issued mandate, rail operators, airport operators and airline operators will be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of detection. All three

by Paul Ducklin The UK legislature is currently interested in a law about what it calls PSTI, short for Product Security and Telecommunications Infrastructure. If you’ve seen that abbreviation before, it’s almost certainly in the context of the PSTI Bill. (A Bill is proposed new legislation that has not yet been agreed upon; if ultimately

The UK’s data watchdog has slapped the British government with a hefty fine for exposing the addresses of individuals chosen to receive honors.  The Information Commissioner’s Office (ICO) said that the safety of hundreds of 2020 New Year Honors recipients had been placed in jeopardy after their personal data was published online. “On 27 December 2019 the Cabinet Office

by Paul Ducklin Renowned bug-hunter Tavis Ormandy of Google’s Project Zero team recently found a critical security flaw in Mozilla’s cryptographic code. Many software vendors rely on third-party open source cryptographic tools, such as OpenSSL, or simply hook up with the cryptographic libraries built into the operating system itself, such as Microsoft’s Secure Channel (Schannel)

A man from Oregon has been charged with stealing confidential data from his employer and secretly extorting the company for a $2m ransom while purporting to be working on remediating the theft.  Portland resident Nickolas Sharp allegedly stole gigabytes of data from Ubiquiti Inc., a technology company headquartered in New York, where Sharp was employed from August 2018 to

by Paul Ducklin [00’23”] Fun Fact: Ebooks reach their half-century. [00’58”] Call scammers and cryptocoin treachery. [07’34”] Cloud insecurity and yet more cryptocoin treachery. [16’15”] Tech History: The interwoven story of Mary Shelley, Ada Lovelace and AI ethics. [18’26”] Facial recognition creepiness. [25’23”] Oh! No! The wannabe wizard that went to school with a trainee

A cyber-attack on Planned Parenthood Los Angeles (PPLA) has resulted in the exposure of patients’ personally identifying information (PII). The agency said in a notice posted to its website on Wednesday that suspicious activity was detected on its computer network on October 17. An investigation into the activity remains ongoing; however, it has been determined that an

The United States has sent a fourth member of the international hacking group known as The Community to prison. Garrett Endicott, of Warrensburg, Missouri, was the last of six defendants to be sentenced in connection with a multi-million-dollar SIM-swapping conspiracy that claimed victims across the country, including in California, Missouri, Michigan, Utah, Texas, New York and Illinois.

The former dean of a business school in Philadelphia has been found guilty of involvement in a fraudulent scheme to doctor program rankings using false data. Moshe Porat, of Bala Cynwyd, Pennsylvania, was dean of Temple University’s Richard J. Fox School of Business and Management for more than two decades, from 1996 until 2018. On

by Paul Ducklin The UK data protection regulator has announced its intention to issue a fine of £17m (about $23m) to controversial facial recognition company Clearview AI. Clearview AI, as you’ll know if you’ve read any of our numerous previous articles about the company, essentially pitches itself as a social network contact finding service with

The Panasonic Corporation has disclosed a data security incident in which an undisclosed amount of data was compromised. In a statement issued Friday, the major Japanese multinational conglomerate announced that an unauthorized third party had gained access to its network on November 11.  An internal investigation was launched that determined that the intruder had accessed some data stored on

An APAC marine services multi-national appears to have become the latest victim of the prolific Clop ransomware gang. Swire Pacific Offshore (SPO) has provided crew and ships for specialized tasks such as anchor handling, platform supply and seismic surveys for over 45 years. However, its name recently appeared on the extortion site of the Clop

UK schools are being encouraged to sign-up to a revamped cybersecurity competition designed to improve diversity in the sector. The CyberFirst Girls Competition is the National Cyber Security Centre’s flagship event for schools. Since 2017 more than 43,000 girls aged 12-13 have taken part in a series of cybersecurity challenges. However, the 2022 edition will see some

by Paul Ducklin Google’s Cybersecurity Action Team just published the first ever edition of a bulletin entitled Cloud Threat Intelligence. The primary warnings are hardly surprising (regular Naked Security visitors will have read about them here for years), and boil down to two main facts. Firstly, crooks show up fast: occasionally, it takes them days

“AI will revolutionize every aspect of connectivity,” was the bold message delivered during a recent webinar by the IDC titled ‘AI with everything – the future of Artificial Intelligence in Networking.‘  The synopsis of the webinar argued that artificial intelligence (AI) is changing how networks are built and operated in the most profound of ways. Additionally, IT

by Paul Ducklin The US Securities and Exchange Commission (SEC) has issued numerous warnings over the years about fraudsters attempting to adopt the identity of SEC officials, including by phone call spoofing. Call spoofing is where a scammer calls you up on your landline or mobile phone, claims to be from organisation X, and then

Service providers have suspended over 20 websites in Germany and the UK for disseminating online terrorist propaganda, Europol has revealed. In the last week of October, a referral action targeted 50 sites that police flagged for promoting violent jihadist ideology in support of terrorist groups such as the Islamic State (IS) and al-Qaeda. Police requested

by Paul Ducklin [00’27”] Cybersecurity tips for the holiday season and beyond. [02’20”] Fun fact: The longest-lived Windows version ever. [03’40”] Exchange at risk from public exploit. [10’34”] GoDaddy loses passwords for 1.2m users. [18’25”] Tech history: What do you mean, “It uses a mouse?” [20’25”] Don’t make your cookies public! [27’51”] Oh! No! DDoS

A website, initially set up by graduates to offer IT support, has caught a criminal after a woman used it to try to arrange the murder of her ex-husband.  RentaHitman.com is a darkly titled domain set up by a group of friends after they graduated from a California business school with degrees in IT.  The site’s operator,

by Paul Ducklin The US Securities and Equities Commission (SEC) has just published a “Security Incident” submitted last week by Web services behemoth GoDaddy. GoDaddy says that on 17 November 2021 it realised that there were cybercriminals in its network, kicked them out, and then set about trying to figure out when the crooks got

More than four-fifths (81%) of UK retailers are putting their customers at risk of email fraud by not implementing the recommended level of domain-based message authentication, reporting and conformance (DMARC) protection. This is according to a new study by Proofpoint, which warned of a likely surge in fraudulent emails targeting online shoppers ahead of this year’s Black

by Paul Ducklin At the start of this month, CVE-2021-42321 was technically an Exchange zero-day flaw. This bug could be exploited for unauthorised remote code execution (RCE) on Microsoft Exchange 2016 and 2019, and was patched in the November 2021 Patch Tuesday updates. Microsoft officially listed the bug with the words “Exploitation Detected”, meaning that

The largest theft of Bitcoin from a single individual was allegedly perpetrated by a Canadian teenager. An unnamed youth was arrested last week on suspicion of stealing crypto-currency worth approximately $36.5m from an unnamed victim who is located in the United States.  It is alleged that the defendant used a SIM swapping attack to gain access to

by Paul Ducklin As we’ve explained before, the opposite (or perhaps we mean the inverse) of Black Friday wouldn’t be White Friday, it would be Red Friday. The word “black” in the context of the big retail surge that typically follows US Thanksgiving, which is always on a Thursday, refers to ink, from the time

The United States has charged two Iranian computer hackers in connection with a cyber-campaign intended to influence the outcome of America’s 2020 presidential election. An indictment unsealed in New York on Thursday alleges that 24-year-old Seyyed Mohammad Hosein Musa Kazemi and 27-year-old Sajjad Kashian conspired with others to intimidate and influence American voters, undermine voter confidence, and

A British man has admitted being a member of an international video piracy ring that illegally distributed “nearly every movie released by major production studios.” On Thursday, before United States District Judge Richard M. Berman, George Bridi pleaded guilty to conspiracy to commit copyright infringement, which carries a maximum sentence of five years in prison. Bridi, who