Security

by Paul Ducklin We investigate the controversy that was stirred up recently when the FBI in the US used malware to fight malware. The Feds accessed remote access webshells left behind after the recent Hafnium attacks to remove the webshells themselves, after a court order said they could. As helpful and as community-minded as this

An American company with ambitions to “help build a better internet” is to open its first ever office in Canada. On April 19, security, performance, and reliability company Cloudflare announced its plans to expand northward and open an office in Toronto.  Cloudflare’s co-founder, president, and COO, Michelle Zatlyn, who is Canadian but currently resides in San Francisco, California,

Ohio PKI-as-a-Service pioneer Keyfactor and Swedish PKI solutions provider PrimeKey have announced their intention to merge. Plans for the companies to come together under the Keyfactor brand “while committing to increased investments across all product lines” were shared on April 15.  PrimeKey was established 19 years ago by the company’s CTO, Tomas Gustavsson, who developed an interest in computer code as a

by Paul Ducklin Sometimes, cybercrooks claim to speak from a higher authority than just a missed home delivery… …sometimes they masquerade as an official government body, complete with all the right logos, the right terminology and even a realistic-looking website carefully cloned from the real deal. Learn more about “government” scams and how to avoid

America has issued a cybersecurity advisory that urges organizations to patch vulnerabilities it says are being exploited by Russian Foreign Intelligence Service (SVR) actors. The warning was jointly issued on April 15 by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), as the US

by Paul Ducklin Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath. With Paul Ducklin and Chester Wisniewski Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the soundwaves

The United States has indicted two Pakistani men on suspicion of operating an illegal online store that sold false identification documents on the dark web.  Karachi residents 34-year-old Mohsin Raza and 33-year-old Mujtaba Raza were charged in a six-count federal indictment unsealed in the District of New Jersey on April 15.  Each man is charged with conspiracy to

by Paul Ducklin We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

A man from California has been sent to prison for cyberstalking two people and threatening to murder them unless they performed sex acts on him. US Judge Dolly Gee described the actions of Covina resident Carl De Vera Bennington as “sadistic” and “cruel” before handing him a custodial sentence. One of the victims of 34-year-old Bennington was

by Paul Ducklin Remember HAFNIUM? Of course you do – it was the name behind a foursome of Exchange bugs that got patched in an emergency update early in March 2021. Even though there was just a week to go until March 2021’s Patch Tuesday, Microsoft decided to issue what have become known as the

Cyber-attackers are believed to be targeting school districts in the New Jersey county of Somerset. Security incidents that occurred in the county over the past week caused day-long school closures at two educational establishments. Schools in Bernards were closed on April 7 and Hillsborough schools were shuttered on April 12 following suspected cyber-attacks.  Computer systems and staff voicemail

by Paul Ducklin Here’s another BWAIN, which is our shorthand for Bug With An Impressive Name. That’s the abbreviation we use for bugs that end up with names, logos and even dedicated websites that are catchy, cool, fancy, important or dramatic, and sometimes even all of these at the same time. Classic examples of the

A teenager from upstate New York has killed himself after experiencing cyber-bullying and online blackmail.   The family of 15-year-old Riley K. Basford say he was tricked into sharing “personal” images over social media by a scammer posing as Basford’s girlfriend.  After obtaining the sensitive images, the scammer threatened to share them online and send them

by Paul Ducklin An iPhone and Android app called NHS COVID-19 is the official iPhone and Android coronavirus contact tracing software for the vast majority of the population of Great Britain. (England and Wales have standardised on NHS COVID-19, but Scotland has gone down a different path with an app of its own.) Today also

Professional sports teams in the United Kingdom have stopped posting on social media in a bid to raise awareness of online abuse.  Soccer clubs including Birmingham City, Swansea City, and Rangers are taking part in a week-long boycott of all their social media platforms.  Swansea led the way, with the club’s official social media accounts falling silent

Canada’s leading provider of laboratory diagnostic information and digital health connectivity systems today announced the launch of a new Vulnerability Disclosure Program (VDP). LifeLabs Medical Laboratory started the VDP program with the intention of strengthening cybercrime detection technology across its online tools, apps, and solutions. “Our goal is to continue to innovate and lead the health

by Paul Ducklin How scammers copied a government website almost to perfection. What to do about those fake “bug” hunters who ask for payment for finding “vulnerabilities” that aren’t. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough. With Kimberly Truong, Doug Aamoth and Paul Ducklin.

The United States has imprisoned the cyberstalker of a woman who, as a child, survived a violent assault that claimed the life of her friend.  According to court records, the victim was in a Texas bedroom with another girl in December 1999 when an assailant entered and slit both the little girls’ throats. The perpetrator

by Paul Ducklin The annual Pwn2Own contest features live hacking where top cybersecurity researchers duke it out under time pressure for huge cash prizes. Their quest: to prove that the exploits they claim to have discovered really do work under real-life conditions. Indeed, Pwn2Own is a bug bounty program with a twist. The end result

Social media giant Facebook has removed thousands of groups from its platforms over the trading of fake and misleading reviews. The cull occurred after two separate interventions by Britain’s competition watchdog, the Competition and Markets Authority (CMA). In January 2020, Facebook committed to improving its identification, investigation, and removal of groups and other pages where

by Paul Ducklin In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of “hiring a hitman on the dark web”. According to Europol: The hitman, hired through an internet assassination website hosted on the Tor network, was paid about €10,000 worth in Bitcoins to kill

Police in Chicago have arrested a former track and field coach for allegedly soliciting sexually explicit images from female athletes under false pretenses.  Chicago resident Steve Waithe was arrested on April 7 and charged with one count of wire fraud and one count of cyberstalking.  Waithe attended Loch Raven High School, where he was the Maryland State

Michigan State University (MSU) has been impacted by a data breach stemming from a cyber-attack on an Ohio law firm. Bricker & Eckler LLP, which is associated with MSU Title IX contractor INCompliance Consulting, was hit with ransomware in January 2021.  An investigation into the incident determined that an unauthorized party gained access to certain Bricker

by Paul Ducklin The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach. Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly

Cyber-criminals behind a cyber-attack on a Florida school district are demanding a ransom payment of $40m in cryptocurrency.  The computer system of Broward County Public Schools was compromised at the beginning of March by data-locking ransomware in a Conti gang operation. The attack caused a system shutdown but left classes undisturbed.  Broward is the sixth-largest school district in

A septuagenarian pastor and retired educator living in Florida has been arrested for a second time on CSAM (child sexual abuse material) charges. Former Embry-Riddle Aeronautical University professor John Robert Griffin II was first arrested on January 6 on 30 felony charges of CSAM possession.  The Daytona Beach Police Department (DBPD) said 200 sexually explicit

American multinational technology company Microsoft has been hit by its second outage in two weeks. Striking the company on April Fool’s Day, the substantial cloud outage knocked Microsoft’s Azure cloud services, Teams, Office 365, and OneDrive offline. Skype, Xbox Live, and Bing were also impacted. News of the outage began emanating from Twitter users at around 5pm ET yesterday.

A cyber-bully has been fined for sending hateful messages to a professional wrestler before she took her own life. Japanese wrestler and Netflix reality show star Hana Kimura was just 22 years old when she killed herself on May 23 last year by inhaling toxic gas in her Tokyo home. Kimura became a target for internet trolls

by Paul Ducklin Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the soundwaves below to skip to any point in the

A former intelligence analyst who was once a United States military service member has pleaded guilty to obtaining classified information and passing it to a reporter. Daniel Everette Hale served as an enlisted airman in the US Air Force from July 2009 to July 2013. After language and intelligence training, the 31-year-old from Nashville, Tennessee,