by Paul Ducklin Facebook has just admitted to years of problems with password hygiene by leaking plaintext passwords into logfiles by mistake. Watch this special edition of Naked Security Live… …we answer the questions lots of people have been asking us since we first wrote about this issue: What happened? Was this a blunder or

According to the 2019 State of the Call Center Authentication report from TRUSTID, a Neustar company, one of the most exploited areas in a company’s security chain is the call center. Companies may be investing more in their cybersecurity defenses, but fraudsters are evolving in their tactics. As such, they’ve discovered that by targeting call

by Paul Ducklin A security researcher in New Zealand just showed that it’s possible to wire up a low-cost data sniffer to the security chip in a Microsoft Surface laptop… …and read out the decryption key used by BitLocker, the software that is there to keep the data on your hard disk safe. That has

The UK’s Police Federation of England and Whales (PFEW) was the victim of a malware attack, according to two different tweets posted by the National Cyber Security Center (NCSC) UK and the PFEW. According to the Police Federation, the attack on the PFEW, which represents 119,000 police officers across the 43 forces in England and

by John E Dunn A researcher has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) during boot. BitLocker is the full volume encryption system that has been shipped with higher-end versions of Windows since Vista, which

Security professionals who attended RSA 2019 believe that the world is in the midst of cyber-war, according to a survey conducted by Venafi. While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to “hack back”

by Paul Ducklin In this Naked Security podcast, we explain how to handle sextortion, look at techniques for getting rid of malvertising, and discuss the things that make randomness hard. With Anna Brading, Paul Ducklin, Mark Stockley and Matthew Boddy. This week’s stories: “FINAL WARNING” email – have they really hacked your webcam? New scam

Protecting consumer privacy has become a top priority for legislators as candidates launch their 2020 campaigns and try to win over voters. According to research findings revealed in the new CCPA and GDPR Compliance Report, however, US companies haven’t made privacy regulations a top priority. The online survey, conducted by TrustArc, reflects responses from 250

by Danny Bradbury A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue. The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows

Before the next WannaCry or NotPetya cyber-attack strikes, potentially resulting in widespread damage for which few are actually prepared, law enforcement in the EU have established an incident response protocol, according to a Europol press release. “To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council

by Lisa Vaas Update 18 March 2019 FamilyTreeDNA emailed users last week to let them know that they can now opt out of DNA matching that will be used to help police identify the remains of deceased people or to help them track down violent criminals. It’s now calling that type of investigative DNA research

The data breach at Wolverine Solutions Group (WSG) continues to plague the healthcare industry, with more organizations, including Spectrum Healthcare, sending security notices to customers. As was the case for many organizations who have already issued security notices, Spectrum said it has no reason to believe its systems or customer information may have been compromised.

by Paul Ducklin This week, the Naked Security Podcast tries to figure out where Mark Zuckerberg’s new “Facebook Privacy Promise” is going, and digs into both the technical and community aspects of a recent Chrome zero-day exploit. With Anna Brading, Mark Stockley and Matthew Boddy. (This week, Duck was away in London giving a dramatic

Researchers at vpnMentor have discovered a security vulnerability in Gearbest, a Chinese e-commerce business that reportedly processes hundreds of thousands of sales a day. According to a blog post from vpnMentor’s research team, hackers were able to access different parts of Gearbest’s database, during which time they discovered more than 1.5 million records, ranging from

by Lisa Vaas Back in 2012, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted. Well, the more things change, the more things USB drive-related

Amid widespread speculation that a cyber-attack caused the outage of Facebook‘s services earlier this week, the social media platform contends that the issue was the result of a server configuration change. Despite the array of questions about when it made the change to the server and when it realized that the configuration error had triggered the

by Paul Ducklin Sextortion is where crooks email you out of the blue, say they have sex-related pictures or webcam footage of you, and demand you to pay them thousands of dollars, OR ELSE. Even people who never watch porn and don’t have a webcam find this sort of scam confronting and scary… …so we

Malicious actors who breached a Pakistani government site and delivered the ScanBox Framework payload have been tracking users who visit the site to check the status of their passport applications, according to research from Trustwave. Since attackers compromised the site, visitors to the subdomain (tracking.dgip.gov[.]pk) of the Pakistani government website’s Directorate General of Immigration & Passport load

by Paul Ducklin It’s Pi Day – or World Pi Day, if you prefer, or even Universe Pi Day, given that Pi is a universal constant. As you may remember from school mathematics, Pi is the cool and amazing ratio you get when you divide the distance around a circle by the distance across it

After months of investigating what was believed to be the largest online drug trafficking ring in the past decade, Israeli police, in conjunction with officers of the Security Service of Ukraine (SBU), have arrested 42 suspects, including the alleged leader. According to SBU, “On March 12, Ukrainian law enforcers basing on the motion about international

by Paul Ducklin Sextortion is back! In fact, it never went away. Some of us get dozens of sextortion scam emails every month to our work and personal accounts, demanding us to PAY MONEY OR ELSE!! In the crime of sextortion, the “OR ELSE” part is a threat to release a video of a sexual

A prolific malware, dubbed Ursnif, has resurfaced with new features, including the ability to bypass a popular Japanese antivirus software called PhishWall, according to Cybereason. Described as one of the most prolific information-stealing malware programs, Ursnif has been around since at least 2013. For nearly three months, researchers have been observing a campaign that has

by Lisa Vaas Facebook on Friday sued two Ukrainian men, Andrey Gorbachov and Gleb Sluchevsky, for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes. The company also alleges that the deceptive extensions injected unauthorized ads into Facebook users’ News Feeds when their victims visited through the compromised browsers. From Facebook’s

Despite Austin’s South by Southwest (SXSW) conference and festival being largely focused on film and music, 2020 presidential candidates arrived in Texas ready to talk about data privacy and cybersecurity. On March 8, Sen. Elizabeth Warren made headlines for her promise to break up big tech companies such as Amazon, Google, Facebook and Apple, while Sen.

by Danny Bradbury The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems. The controversy surrounds the Advanced Targeting and Lethality Automated System (ATLAS). Created by the Department of Defense, it is a program to develop: Autonomous target acquisition technology, that will

A September 2018 ransomware attack on Wolverine Solutions Group (WSG) has had widespread impact, resulting in hundreds of thousands of customers being warned that their personal information may have been part of a data breach, according to Detroit Free Press. In a statement to its clients, Wolverine Solutions Group wrote, “On approximately September 25, 2018, WSG

by Danny Bradbury Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser. The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users

Researchers at Pen Test Partners revealed in a proof of concept (PoC) that they were able to exploit vulnerabilities in two high-end “smart” alarms. In their PoC, the pen testers debunked third-party car alarm vendors’ claim to be the solution to key relay attacks on keyless-entry cars. “We have shown that fitting these alarms can make

by Paul Ducklin Today is International Women’s Day 2019. In the leadup, a bunch of people – friends, family, colleagues and you, our readers – asked us whom we’d count amongst our female technoheroes, so we thought we’d tell you. We know what you’re thinking, which is probably along the lines of, “They’re bound to mention Rear

Russia has proposed legislation that would ban the spread of fake news, as well as the use of the internet to disrespect government officials and state symbols. The law appears to be similar to one enforced in Nigeria, where a journalist has been charged with cybercrimes for speaking out against the government, according to the