Security

by Paul Ducklin Sadly, a lot of the cryptocurrency news that we write about on Naked Security involves cybercriminals getting mixed up in things, often with depressing results. Two months ago, for example, a Japanese company called Liquid found that a cool $100 million had gone missing overnight, in a puff of cryptographic dust. We

The Space Information Sharing and Analysis Center (Space ISAC) and the New York Metro InfraGard Members Alliance (NYM-IMA) have agreed to work together to advance the mission of cybersecurity in space.  A Memorandum of Understanding (MOU) enabling collaboration between the two organizations was signed earlier this month. In a statement released to announce the news, the organizations

A 40-year-old man from California has admitted his role in a conspiracy to break into the private digital photo libraries of Apple customers to locate and steal sexually explicit images. Hao Kuo Chi, a resident of the city of La Puenta in Los Angeles County, pleaded guilty to charges of computer fraud and conspiracy on Friday, October

by Paul Ducklin The overall motto of #Cybermonth consists of three simple words. Repeat these words (try sitting on your hands while you’re saying them, for extra safety) whenever you’re faced with a cybersecurity risk, instead of rushing straight in and making a possibly expensive mistake: Stop. Think. Connect. Well, in Week 3 of #Cybermonth

South Korea is seeking assistance from the International Criminal Police Organization (Interpol) to arrest two foreign nationals suspected of being cyber-criminal gang leaders. The two individuals allegedly played a key role in multiple cyber-attacks and a major extortion scam that claimed victims in both South Korea and the United States.  On Friday, South Korea said that it

The personal data of thousands of individuals have been stolen from a non-profit professional membership organization located in Illinois. Cyber-thieves struck the American Osteopathic Association (AOA) in the summer of 2020, making off with information that included names, Social Security numbers, and financial account details. The AOA, which is headquartered in Chicago, represents around 151,000

Apple’s plans to implement new phone-scanning features have been heavily criticized by more than a dozen cybersecurity experts. The tech company announced in August its intention to start scanning iPhone users’ iCloud Photos libraries. Apple presented the move under the pretext that it would locate users’ caches of illicit content, including child sexual abuse material (CSAM). In

by Paul Ducklin If you’re a Naked Security Podcast listener (and if you aren’t, please give it a try and subscribe if you like it!), you may remember a humorous remark about ‘sideband’ attacks and sneaky data exfiltration tricks that Sophos expert Chester Wisniewski made in a recent episode. We were talking about how to

Organizations around the world take on average more than two business days to respond to a cyber-attack, according to new research by American cybersecurity company Deep Instinct.  The finding was published in the company’s second bi-annual Voice of SecOps Report, which was based on a survey of 1,500 senior cybersecurity professionals in 11 countries who work for

by Paul Ducklin [04’04”] Apple (you guessed it!) fixes yet another iPhone 0-day. [08’38”] Apache patches an embarrassing bug and then has to patch the patch. [20’01”] It’s Fight The Phish week. [28’42”] Oh! No! The computer that punched a user in the face. With Paul Ducklin and Doug Aamoth. Intro and outro music by

Social media company Facebook has announced plans to selectively protect some of its better-known users from being harassed on its platform. Updates to the company’s bullying and harassment policies were announced yesterday by Facebook’s global head of safety, Antigone Davis. The announcement coincided with National Bullying Prevention and Awareness Day in the United States.  Davis said Facebook is introducing

by Paul Ducklin Sadly, we’ve needed to write and warn about romance scams and romance scammers many times in recent years. Indeed, in February 2021 we published an article entitled Romance scams at all-time high: here’s what you need to know, following a report from the US Federal Trade Commission (FTC), America’s official consumer protection

A cybersecurity official in the Ghanaian police force has cautioned women and girls against using digital devices to take and share intimate pictures.  The assistant commissioner of police, Dr. Gustav Herbert Yankson, who is the director of the Cybercrime Unit at the CID Headquarters of the Ghana Police Service, gave the warning while speaking at

Google is bringing together a bevy of in-house experts to form a new cybersecurity advisory team. In a statement released earlier today, Google announced the creation of its new Google Cybersecurity Action Team, which it says will have “the singular mission of supporting the security and digital transformation of governments, critical infrastructure, enterprises, and small businesses.” In pursuit of

by Paul Ducklin It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish! Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call

Data belonging to patients of a hospital in New Mexico has been deleted by an unknown cyber-attacker.  The IT network of San Juan Regional Medical Center in Farmington was breached by an unauthorized individual in September last year. The attack was reported to the United States Department of Health and Human Services’ Office for Civil Rights on June 4

An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half.  The gaffe involving an API bearer token was discovered by researchers at security consulting and testing company Pen Test Partners.  “Every mobile app user was given the same hard-coded API Bearer Token,

A student at East Carolina University has been charged with cyber-stalking after allegedly posing as a member of a rival fraternity to upload a racist post to social media. A police investigation was launched after an offensive message, purporting to be from the university’s Theta Chi chapter, was uploaded anonymously to Yik Yak in August. 

by Paul Ducklin [01’47”] Apple Pay gets hacked (sort of). [13’18”] DOJ busts four gift card scamming suspects. [25’23”] We give you our top tips for #Cybermonth. [27’40”] Ukrainian Cyberpolice take on ransomware crooks. [32’13”] Oh! No! The user that volunteered to RTFM!? With Paul Ducklin and Doug Aamoth. Intro and outro music by Edith

Patching vulnerabilities is too labor intensive and convoluted a process for most IT security professionals, according to new research by Ivanti.  The Utah-based software company surveyed over 500 enterprise IT and security professionals across North America, Europe, the Middle East, and Africa about their patch management challenges.  Nearly three-quarters of respondents (71%) found patching to be “overly complex,

by Paul Ducklin The venerable Apache web server has just been updated to fix a dangerous remote code execution (RCE) bug. This bug is already both widely-known and trivial to exploit, with examples now circulating freely on Twitter, and a single, innocent-looking web request aimed at your server could be enough for an attacker to

A working group appointed by the International Association of Scientific, Technical and Medical Publishers (STM) has published a new set of guidelines to tackle the issue of doctored images in scientific research papers.  The recommendations of the Standards and Technology Committee (STEC) include a three-tier classification system that editors can use to flag suspicious content, and detailed

by Paul Ducklin Back in June this year, we wrote about a ransomware-related bust in Ukraine, featuring a police video in which a high-security door was dismantled with a BFG (Big Fat Grinder), substantial piles of cash were counted out and packed into evidence bags, and numerous fancy cars were seized. Well, here’s another bust

A voucher scheme launched by the Northern Ireland Assembly to stimulate economic growth following Covid-19 lockdowns is having an identity crisis.  Under the £145m High Street Spend Local Scheme, the approximately 1.4 million residents of Northern Ireland who are aged 18 and over are eligible to apply for a £100 Spend Local voucher.  The voucher takes the form

by Paul Ducklin As you probably know (or, at least, as you know now!), October is Cybersecurity Awareness Month, which means it’s a great opportunity to do three things: Stop. Think. Connect. Those three words were chosen many years ago by the US public service as a short and simple motto for cybersecurity awareness. 5

A former Facebook employee is to appear before a US Senate subcommittee tomorrow after blowing the whistle on the company’s alleged prioritization of profit above user welfare.  Frances Haugen, a 37-year-old data scientist from Iowa, revealed yesterday that it was she who leaked internal research carried out by Facebook to the Wall Street Journal. This research formed the

Today marks the start of the 18th Annual Cybersecurity Awareness Month in America, and this year’s theme is “Do Your Part. #BeCyberSmart.” The digital safety initiative was launched back in October 2004 by the National Cyber Security Alliance and the United States Department of Homeland Security to help the public stay safe and secure while

by Paul Ducklin [00’22”] Guess what? iOS 12 wasn’t dead, it was just resting. [03’04”] Let’s Encrypt brings HTTPS to everyone. [12’12”] Researchers rediscover an Outlook data leakage issue. [25’34”] VMware keeps it real. [28’47”] Oh! No! When the mouse is away, the cat will play. With Paul Ducklin and Doug Aamoth. Intro and outro

The owner of two chains of American luxury department stores has warned 4.6 million Neiman Marcus customers that their personal data may have been exposed in a security incident that happened 17 months ago.  Neiman Marcus Group, which owns the Neiman Marcus and Bergdorf Goodman department stores, as well as the high-end home goods line