Security

by Paul Ducklin [01’08”] Apple’s emergency 0-day fix. [08’51”] A new sort of Windows nightmare, this one not involving printers. [20’39”] Another new sort of Windows nightmare, also with no printers. [27’37”] Twitter hacker busted. [34’50”] Oh! No! Our very own Doug ruins a brand new TV. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

by Paul Ducklin Yesterday, we wrote about a vaguely mysterious zero-day patch pushed out by Apple. Like almost all Apple security fixes, the update arrived without any sort of warning, but unlike most Apple updates, only a single bug was listed on the “fix list,” and even by Apple’s brisk and efficient bug-listing standards, the

by Paul Ducklin You might be forgiven for thinking that July 2021 was Microsoft’s month for cybersecurity vulnerabilities. First there was PrintNightmare in several guises, followed by HiveNightmare (an entirely unrelated bug that nevertheless attracted the “Nightmare” moniker), followed by PetitPotam (which went down the cute aquatic mammal naming path). Now, however, it’s Apple’s turn

by Paul Ducklin French researcher Gilles Lionel, who goes by @topotam77, recently published proof-of-concept code that attackers could use to take over a Windows network. The hack, which he has dubbed PetitPotam (which is a nod to the endangered Pygmy Hippopotamus, as far as we can tell), involves what’s known as an NTLM relay attack,

by Paul Ducklin You can probably guess what we mean by “Twitter hack“. Some data breaches involve millions or even billions of accounts, perhaps compromised by a leaky cloud storage server or a poorly-secured customer database. In contrast, the Twitter hack we’re referring to ultimately led to the takeover of just 45 accounts. But what

by Paul Ducklin [00’38”] Learning from computer virus history.  [02’26”] The PrintNightmare saga continues.  [05’27”] Apple puts out a patch, but doesn’t say why.  [08’12”] Snitch on a crook and earn $10 million.  [17’50”] Scammars do grammer and speeling correctly.  [25’12”] And the Business Email Compromise that wasn’t. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the

by Paul Ducklin As if one Windows Nightmare dogging all our printers were not enough… …here’s another bug, disclosed by Microsoft on 2021-07-20, that could expose critical secrets from the Windows registry. Denoted CVE-2021-36934, this one has variously been nicknamed HiveNightmare and SeriousSAM. The moniker HiveNightmare comes from the fact that Windows stores its registry

by Paul Ducklin It’s already nearly two months since Apple’s last security update to iOS 14, which was back on 2021-05-24 when iOS 14.6 appeared. So we weren’t surprised to see that another patch is out, officially listed [2021-07-19] as covering iOS (now on 14.7), tvOS (now also 14.7) and watchOS (now on 7.6). Annoyingly,

by Paul Ducklin [01’32”] We explain how a format string bug could lock your iPhone out of your own network.  [08’53”] We revisit the PrintNightmare saga, which is sort-of fixed but not really.  [12’50”] We look back at the 20-year-old Code Red virus.  [18’30”] We look at what cybercriminals spend money on (hint: more cybercrime).  [29’10”] And in this week’s “Oh! No!”, we learn

by Paul Ducklin Just over a week ago, we wrote about the REvil ransomware gang’s latest braggadoccio. As you probably know, ransomware operators like REvil, Clop and others don’t generally work on the front line themselves by conducting the actual network intrusions that deliver the final ransomware warhead. Instead, they recruit teams of “attack affiliates”

by Paul Ducklin “It never rains but that it pours,” as the old weather adage goes. That’s certainly how Microsoft must be seeing things right now, following the official announcement of yet another unpatched vulnerability in the Windows Print Spooler service. Dubbed CVE-2021-34481, this one isn’t quite as bad as the previous PrintNightmare problems, because

by Paul Ducklin There’s a famous and very catchy song that starts, “It was 20 years ago today…” In the song, of course, Sergeant Pepper was busily teaching his band to play – a band, as the song assures us, that was guaranteed to raise a smile. But can you remember where you were and

by Paul Ducklin We’ve written several times before about home delivery scams, where cybercriminals take advantage of our ever-increasing (and, in coronavirus times, often unavoidable) use of online ordering combined with to-the-doorstep delivery. Over the past year or so, we’ve noticed what we must grudgingly admit is a gradual improvement in believability on the part

by Paul Ducklin About a month ago, a security researcher revealed what turned out to be zero-day bug in Apple’s Wi-Fi software, apparently without meaning to: After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3 — Carl Schou (@vm_call)

by Paul Ducklin Here on Naked Security, we’ve regularly asked the question, or at least implied it: “Where do you think all those cybercrime payments go?” When a ransomware victim hands over a largely anonymous, mostly untraceable quantity of Bitcoin, for example, to pay off a multi-million dollar blackmail demand in the hope of recovering

by Paul Ducklin [00’21”] The “Independence Day Weekend” ransomware drama.  [15’55”] The PrintNightmare nightmare continues.  [24’16”] An email hacker gets his conviction overturned.  [30’35”] In this week’s Oh! No! story, a server room fills with toxic fumes… With Doug Aamoth and Paul Ducklin. Download the IBM 3270 retrofont that Duck admired in the podcast. Intro and outro music by Edith Mudge. LISTEN

by Paul Ducklin Here’s the good news: Microsoft has released an emergency patch for the infamous PrintNightmare bug that was revealed in the Windows Print Spooler just over a week ago. The patch is what Redmond refers to as an OOB Security Update, where OOB is short for out-of-band. OOB is a jargon term that

Microsoft has now released a patch for all Windows versions affected by the PrintNightmare zero-day, but researchers have already found a way to bypass the fix in attacks. As predicted, Microsoft this week pushed an out-of-band patch for CVE-2021-34527, which now has a CVSS “high severity” score of 8.2. The incomplete initial release on Tuesday

by Paul Ducklin In this special splintersode, Kimberly Truong talks to Eva Galperin, Director of Security at the Electronic Frontier Foundation. Eva Galperin, Director of Security, EFF Join Eva as she discusses growing up with cryptography, the troubling issue of stalkerware, how to get started in cybersecurity… and the sort of hobbies that help infosec

The White House has issued another strongly worded warning to the Putin administration: the US will take action against cyber-criminals living in Russia if the Kremlin doesn’t. Press secretary Jen Psaki explained that the two countries are continuing “expert-level” talks in the wake of the meeting between Presidents Biden and Putin last month. Another talk focused

by Paul Ducklin It’s like the movie Independence Day, but with the malware part of the story back-to-front. In the 1996 Jeff Goldblum classic, the bespectacled, academic antihero finally quashes the alien invaders by connecting to their mothership with his Mac laptop and uploading a computer virus that even the telepathic aliens didn’t see coming.

The group behind the crippling supply chain ransomware attack on a US software company has reportedly demanded $70 million in return for a ‘universal’ decryption key, as researchers claim there could be thousands of global victims. It’s believed that the REvil strain was used to compromise Kaseya’s VSA IT management software, although which ransomware affiliate is unknown.

by Paul Ducklin You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services. For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital

A new Automated Clearing House (ACH) data security rule to protect electronically stored sensitive financial information has come into force in the United States. As of June 30, the ACH Security Framework now requires large, non-financial-institution (Non-Fi) originators, third-party service providers (TPSPs) and third-party senders (TPSs) to protect deposit account information by rendering it unreadable when

by Paul Ducklin More than eight-and-a-half years ago, we wrote about the US indictment of three cybercrime suspects. The troika was wanted for allegedly operating a bank-raiding crimeware “service” known as Gozi, based on zombie malware that used a technique known as HTML injection to trick victims into revealing personal information relating to their on-line

After two years of detention in a New York jail, a private investigator charged with involvement in a massive international hacker-for-hire scam is seeking to reach a plea agreement. Israeli national Aviram Azari is accused of working with co-conspirators in India to target environmental victims around the world with phishing emails and fake websites designed

by Paul Ducklin This week’s fascinating Friday fable reaches back nearly a decade, and is a reminder of how hard it can be to decide what wrong has been done, if any, in court cases that deal with what most people would call “hacking”. The story of the original court case is simply told, and

A reality TV star whose sudden death was reported by several websites says she was the victim of a malicious hacker.  Saaphyri Windsor shot to fame after appearing on American dating gaming show Flavor of Love, which starred Public Enemy rapper Flavor Flav. On Thursday night, after news of her death began circulating on the internet,

by Paul Ducklin [05’32”] When you spend tens of pounds but get billed thousands because the system mistook the date for the amount.  [14’17”] Our tips to make #SocialMediaDay your safest day on social media yet.  [28’06”] A clip from a great new privacy splintersode we’ll be airing next week.  [33’46”] Oh! No! of the week With Kimberly Truong, Doug Aamoth and

The United States has filed additional charges against a former Amazon employee accused of stealing the personal data of more than 100 million Americans and six million Canadians. A superseding indictment filed in June accuses former software engineer Paige A. Thompson of seven new charges relating to the hack of Capital One. Six of the charges relate