New information discovered in the aftermath of Slack’s security breach from March 2015 has prompted the company to reset the passwords of some of its users, according to a July 18 blog post.  Slack explained that it reset account passwords for 1% of its users. Any users who created their account before March 2015 and

by Danny Bradbury Mozilla is expanding the privacy tools built into Firefox by integrating its Lockwise password manager directly into the browser and expanding its support for the Have I Been Pwned (HIBP) website. Lockwise is an app for iOS and Android, and an add-on for the desktop version of Firefox. It’s a password manager

Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET. The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release. Named Okrum by ESET,

by Paul Ducklin The Naked Security Podcast is back! Everyone loved the content of our podcasts, but quite a few of you said that you found them hard to listen to. We didn’t have a studio to record in, so the sound quality wasn’t great – you had to concentrate on the words themselves rather

The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs. According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half

by Mark Stockley For the last two months the infosec world has been waiting to see if and when criminals will successfully exploit CVE-2019-0708, the remote, wormable vulnerability in Microsoft’s RDP (Remote Desktop Protocol), better known as BlueKeep. The expectation is that sooner or later a BlueKeep exploit will be used to power some self-replicating

Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News. 

by Paul Ducklin Remember GandCrab? It was a well-known strain of ransomware that was sold as a ‘service’ on the cyberunderground. The idea of CaaS, or crimeware-as-a-service, is borrowed from the outsourcing and cloud computing models that regular businesses use. These days, for example, if you want to publish your own videos, you don’t have

Oracle will release its Critical Patch Update on July 16, 2019, which will include seven new fixes for the Oracle database server, according to a pre-release announcement.    “While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,”

by Paul Ducklin In 2021, the UK’s highest-denomination banknote – or, more precisely, the biggest note in general circulation – will go plastic. New banknotes typically mean new portraits, as when a plastic Sir Winston Churchill supplanted a paper Elizabeth Fry on the fiver in 2016, and the author Jane Austen replaced the scientist Charles

According to a survey of 100 healthcare professionals from hospitals to physician group practices, more than half of respondents are highly confident in the cybersecurity of their patient portals.  The State of Patient Identity Management report, published by LexisNexis® Risk Solutions, revealed that healthcare organizations (HCOs) have great confidence in their cybersecurity preparedness. While confidence in their cybersecurity

by Lisa Vaas Thanks to how your Google Home voice assistant records our conversations, which are sometimes triggered by mistake, audio clips – both those recorded on purpose and otherwise – are being sent to engineers working on Google Home voice processing. How it’s supposed to work: Google Home should only be activated when someone

Security researchers have hacked hair straighteners from Glamoriser, according to Pen Test Partners. The UK firm bills itself as the maker of the “world’s first Bluetooth hair straighteners,” devices that users can link to an app so that the owner can set the heat and style settings and switch the straighteners off from within Bluetooth range.  Researchers

by Paul Ducklin Almost everyone’s heard of Linux – it’s the operating system kernel that’s behind a significant proportion of servers on the internet, including most of Google, Facebook, Amazon and many other contemporary online juggernauts. In its Android flavour, Linux powers the majority of smartphones out there, and in one form or another it’s

Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload.  “The threat actor predominantly targets victims based in Turkey using malspam email messages written

by Danny Bradbury Companies feel they are losing the cybersecurity battle, according to research released by Sophos this week. IT managers are inundated with cyberattacks from all directions and struggling to plug all the security gaps. In the survey, titled The Impossible Puzzle of Cybersecurity, Sophos surveyed 3,100 IT managers across 12 countries about their cybersecurity

Researchers have discovered a vulnerability impacting a leading manufacturer of managed kiosks found in hotels, businesses, retail and other industries that could allow a malicious actor access to the cloud database, according to Trustwave. Uniguest outsources secure, fully managed customer-facing technology solutions, but researchers reported that “based on the way their infrastructure is set up,

by Lisa Vaas The online activist group Fight for the Future is calling for a Federal ban on facial recognition surveillance. Evan Greer, deputy director of Fight for the Future, compared facial recognition to nuclear or biological weapons: while we can’t go back in time to ban the development of those technologies, we still have

A new version of the advanced malicious surveillance tool, FinSpy, has been observed stealing information from global governments, law enforcement and NGOs, according to new research from Kaspersky. “The new implants work on both iOS and Android devices and can monitor activity on almost all popular messaging services, including encrypted ones, and hide their traces better

by Paul Ducklin A few short days ago, we wrote up the news that Mozilla was up for an internet award… …for cybervillainy! We didn’t see that one coming, but it’s no lie: the UK Internet Service Providers Association (ISPA) shortlisted Mozilla for the dishonourable title of 2019 Internet Villain. The other two entries on

The Information Commissioner’s Office has announced an intention to fine Marriott International £99m for “infringements of the GDPR.” Relating to an incident that Marriott reported in November 2018, which saw approximately 339 million guest records exposed globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA) and

by Lisa Vaas Zoom, a company that sells video conferencing software for the business market, is tweaking the app to fix a vulnerability in its software that allows malicious websites to force users into a Zoom call with the webcam turned on. The flaw was discovered by security researcher Jonathan Leitschuh, who documented it in

The Department of Energy (DOE) engaged in conversations with industry partners in order to advance the cybersecurity of industrial control systems in the nation’s critical infrastructure, including power utilities and pipelines, according to FedScoop and E&E News. “Private entities and key agencies formed a consortium over concerns industrial control systems (ICS) are increasingly being targeted by

by Danny Bradbury Hackers just infiltrated virtual reality (VR), enabling them to manipulate users’ immersive 3D worlds. At the Recon cybersecurity show in Montreal, researchers Alex Radocea and Philip Pettersson demonstrated how to hack virtual reality worlds on three platforms. The first was VR Chat, a virtual chat room available via online gaming platform Steam

A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs.  Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began

by Lisa Vaas Bitcoin is eating up about seven gigawatts per year, according to a new tool from University of Cambridge’s Centre for Alternative Finance, called the Cambridge Bitcoin Electricity Consumption Index (CBECI). That’s a bit more than the entire country of Switzerland is using, according to the CBECI – a number that’s admittedly hard

A survey of 320 IT experts conducted by Gurucul found that one in 10 respondents admitted they would try to take as much company information with them as possible before they left their jobs. In addition, the survey found that 15% of participants would delete files or change passwords upon exiting.  While a number of

by John E Dunn Somebody out there has taken a big dislike to Robert J. Hansen (‘rjh’) and Daniel Kahn Gillmor (‘dkg’), two well-regarded experts in the specialised world of OpenPGP email encryption. It’s not known who launched the attacks in late June 2019 (Hansen says he has suspects in mind), but it’s the nature

The largest forensic services provider in the UK, Eurofins Scientific, has reportedly paid a ransom to criminals after its IT systems were disrupted in a cyber-attack. The amount of the ransom has not been disclosed, though BBC News reported that the attacks also resulted in the British police suspending its work with the global testing

by Paul Ducklin Here at Naked Security, we’re well aware that social networks aren’t for everyone, and if you’ve decided to stay away from them, we’re good with that. After all, the best way to prevent privacy blunders and data breaches is simply not to give out the data in the first place – or,