Security

by Paul Ducklin Apple, rather unusually in today’s cybersecurity world, rarely announces that security fixes are on the way. There’s no equivalent of Microsoft’s Patch Tuesday, which is a regular and predictable fixture in anyone’s cybersecurity calendar; there’s no “new version every fourth Tuesday” as there is with Firefox; there’s no predetermined quarterly schedule for

Increased digital adoption since the start of COVID-19 is leaving consumers more vulnerable to cyber-attacks, according to McAfee’s 2021 Consumer Security Mindset Report. The analysis found that Brits across all age groups have embraced new digital solutions amid ongoing social distancing restrictions. Nearly three-quarters purchased at least one connected device in 2020 and one in

by Paul Ducklin Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave. In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll. Firstly, it doesn’t make economic sense to pay someone who is no longer entitled to the

Application security threat modeling solutions provider IriusRisk has announced the appointment of Dr Gary McGraw to its threat modeling technical advisory board. Dr McGraw – who has a PhD in computer science and cognitive science – joins existing advisor Adam Shostack and will assist in the strategic direction and development of the AppSec firm. The

by Paul Ducklin Here’s our latest Naked Security Live talk, where we talk about the difference between online “secrets” that aren’t really secret but were hidden away to be found as a bit of fun… …and genuine secrets, such as passwords and encryption keys, that get “hidden” away in apps or websites in the hope

The Russian government has issued cybersecurity guidance to businesses in the country after claiming they are at risk of US reprisals for the recent SolarWinds attacks. The alert came late last week from the National Coordination Center for Computer Incidents (NKTsKI), an agency created in 2018 by KGB successor the Federal Security Service (FSB). It

A former home security technician has admitted habitually hacking into customers’ home surveillance cameras to spy on people without their consent.  Telesforo Aviles accessed the accounts of around 200 customers more than 9,600 times over a period of four and half years while employed by security company ADT.  The 35-year-old carried out the cyber-intrusions for

by Paul Ducklin Remember Apple’s TouchID sensor, which created quite a stir way back in 2013 when the iPhone 5s came out with a home button that could also read your fingerprint? It wasn’t that having a fingerprint scanner was a new thing, even in 2013, but that the integration of the home button and

The European Data Protection Board has issued new advice to hospitals regarding what action to take in the event of a cyber-attack. Currently released in draft form, the new set of recommendations urges healthcare providers hit with ransomware to report the attack even if no patient data is accessed or exfiltrated.  The guidelines state: “The internal documentation

by Paul Ducklin Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious. One of the most famous easter eggs in commercial software history – if not the most complex –

The effectiveness of offensive capabilities in deterring nation state actors was discussed by a panel during the recent ‘RSAC 365 Innovation Showcase: Cyber Deterrence’ webinar. Chair of the session, Jonathan Luff, co-founder at Cylon, observed that now is the ideal time to be asking if and when offensive strikes should be used following the Russian

by Paul Ducklin Anonymous and private, yet busted – we explain how darkweb sites sometimes keep your secrets… and sometimes don’t. We help you improve your cybersecurity at home. And we tell you the tale of a company with a cool name but allegedly with creepy habits coded into its browser extensions. With Kimberly Truong,

IoT and OT security firm Nozomi Networks has announced that enterprise security leader Barmak Meftah has joined its board of directors. Meftah brings more than 25 years of experience in building market-leading enterprise SaaS and cybersecurity companies to Nozomi Networks and most recently served as president of AT&T Cybersecurity where he established its cybersecurity division

More than three-quarters of applications in the retail and hospitality sector contain at least one vulnerability, with a high percentage of these requiring urgent attention, according to Veracode. The application security vendor analyzed more than 130,000 applications to compile its latest State of Software Security report. However, while the 76% of buggy apps in the

“A world leader once said ‘a decade can go by without any real news and then you can feel a decade happening in a week.’ I feel that a decade has happened in the past year,” commented Børge Bende, president of the World Economic Forum (WEF), speaking during a press conference highlighting the findings from the

by Paul Ducklin Here’s our latest Naked Security Live talk, where we discuss the tips in our article Home schooling– how to stay secure . Even if you don’t have school-age children, or aren’t living in a region where schools are currently closed, the video contains a wide range of advice that will help you

The UK’s Ministry of Defense (MoD) experienced an 18% rise in personal data loss incidents in the financial year 2019/20, according to official figures analyzed by the Parliament Street Think Tank. The UK government’s defense department revealed there were 546 reported incidents of personal data loss during the last financial year, up from 463 in 2018/19.

The Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE) yesterday announced a Memorandum of Understanding with the Women in Cybersecurity (WiCyS) Mid-Atlantic affiliate. The executed MOU creates a cooperative agreement between the two parties to partner in the furthering of their missions and objectives around the adoption, use, and expansion of CMMC-based cybersecurity practices for the

A man from Florida has admitted cyberstalking a woman who survived a violent attack in her childhood that left another young girl dead.  Alvin Willie George of Cross City pleaded guilty to two counts of cyberstalking related to the online harassment of the survivor and her sisters.  According to court records, the victim was in a Texas

by Paul Ducklin You probably don’t need to be told what sort of products were on offer at an online retail site called DarkMarket. As you can imagine, it operated on the so-called dark web, and you’d have needed the Tor browser to access it, using a special web address ending in .onion. Onion addresses

The US National Security Agency (NSA) has warned enterprises that adoption of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools. DNS over HTTPS (DoH) has become an increasingly popular way to improve privacy and integrity by protecting DNS traffic between a client and a DNS

by Paul Ducklin We explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music: Edith Mudge. LISTEN

Controversial connected device company Ring has added video end-to-end encryption (E2EE) to some of its products in a bid to boost user privacy and security. The Amazon-owned maker of smart doorbells first flagged the move last autumn, but will begin the roll-out this week as part of a “technical preview. “By default, Ring already encrypts

Co-authored by Sally Adam and Doug Aamoth Many pupils are starting their new school term from home rather than the classroom. For families with younger kids, home schooling is often the first time that their children have needed to use computers (rather than gaming consoles) in earnest. Whether you’re new to home schooling, going back to it after a break, or an old hand, it’s worth

Big tech companies need to “raise the bar” on enhancing privacy and trust in their services in 2021. This was the message from a panel discussion at the Consumer Electronics Show (CES) 2021, which included representatives from Google, Twitter and Amazon. This need for greater transparency has emerged as a result of the growing reliance

by Paul Ducklin Here’s our latest Naked Security Live talk, explaining why HTTPS is vital, even if you’re publishing public data that isn’t confidential. Thats because HTTPS isn’t just about the confidentiality of the data you browse to – it’s also about improving your privacy in respect of what you chose to look at, when

More than two-thirds (68%) of UK workers do not consider the cybersecurity impact of working from home, according to a new study by VPNOverview.com. The survey of 2043 employees in the UK demonstrated a lack of awareness about how to stay secure whilst working remotely, which is putting businesses at risk of attacks. The shift

by Paul Ducklin In July 2018, after many years of using Yubico security key products for two-factor authentication (2FA), Google announced that it was entering the market as a competitor with a product of its own, called Google Titan. Security keys of this sort are often known as FIDO keys after the Fast IDentity Online

The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts. The Bureau of Cyberspace Security and Emerging Technologies (CSET) was finally approved by outgoing secretary of state, Mike Pompeo — over a year-and-a-half after Congress was first notified of the plans. A brief statement from the

A cyber-attack on a Vermont healthcare provider has delayed the rollout of an electronic health record (EHR) system and cost millions of dollars in lost revenue.  The University of Vermont Health Network, which is based in Burlington, was hit by ransomware in October 2020, and is yet to make a full recovery. Most computer systems have