Security

US senators have proposed a bill that would drastically reform the surveillance practices of the National Security Agency (NSA) and increase oversight of government surveillance. Titled The Safeguarding Americans’ Private Records Act, the bill was introduced on Thursday by Senators Ron Wyden, Zoe Lofgren, Pramila Jayapal, Warren Davidson, and Steve Daines.  According to a statement on Wyden’s website, the changes

by Danny Bradbury Aleksai Burkov, a Russian cybercriminal responsible for over $20m in credit card fraud, pleaded guilty last week for access device fraud, identity theft, computer intrusion, wire fraud, and money laundering, after being indicted four years ago for operating a carding website called Cardplanet. This website, which ran from 2009 until 2013, served

London’s Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals.  After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images

by Lisa Vaas New York police have arrested yet another man suspected of running the clickfraud factory known as Methbot: a farm of 1,900 data servers rented to host 5,000 bogus websites and to concoct fictional traffic coming from fake visitors, thereby running up profits from advertising fraud. Methbot got its name from White Ops,

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC).  Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security’s Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain

by Danny Bradbury The street outside ICANN’s offices in Playa Vista, California, may be a little more crowded than normal. People worried about the .org top-level domain will be there protesting its sale to a private equity firm. They’ll be handing over a petition signed by over 21,000 people to the Internet Corporation for Assigned

A Russian man has pleaded guilty to running an illegal online marketplace that sold stolen payment card credentials to criminals, who used them to make over $20m in fraudulent purchases. Before a United States court, Aleksei Burkov admitted operating the Cardplanet website, which sold card data acquired through illegal computer intrusions. Many of the cards offered for sale

by John E Dunn Far from protecting the security and privacy of Safari users as advertised, Apple’s much-vaunted Intelligent Tracking Prevention (ITP) could leave them exposed to a raft of privacy issues, including – ironically – being tracked. That’s the surprising conclusion of a group of Google researchers who this week published a short but

America’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet. Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim’s computer. This sophisticated strain of

by Chester Wisniewski The scene stealer in January’s Patch Tuesday updates from Microsoft was CVE-2020-0601, a very serious vulnerability in the crypt32.dll library used by more recent versions of Windows. The flaw, which also goes by the names Chain of Fools and Curveball, allows an attacker to fool Windows into believing that malicious software and websites

Brazilian prosecutors have denounced American journalist Glenn Greenwald for his alleged involvement with a cybercrime organization that hacked cell phones to commit bank fraud. Greenwald is best known for a series of reports published from June 2013 by The Guardian newspaper that detailed the global surveillance programs of the United Kingdom and the United States.

by Paul Ducklin Microsoft has today announced a data breach that affected one of its customer databases. The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world. Microsoft didn’t

A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification.  Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its “Cyber Managed” notation. The notation is based on BV’s rule

by John E Dunn Citrix has issued its first set of patches fixing a nasty vulnerability that’s been hanging over some of its biggest products. The flaw, identified as CVE-2019-19781 on 17 December 2019, affected Citrix’s Application Delivery Controller (ADC) load and application balancer, and the Citrix Gateway Virtual Private Network (VPN) appliance (previously known

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state. Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack. Under the

by Danny Bradbury The FBI has seized the domain for WeLeakInfo.com, a site that sold breached data records, after a multinational effort by law enforcement. Authorities have arrested two 22-year-old men alleged to have operated the site. Based in Fintona, Northern Ireland, and Arnhem in the Netherlands, they are believed to have made over £200,000

A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts.  Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America

by Lisa Vaas On Monday, Google pushed out an update for the iOS version of Smart Lock, its built-in, on-by-default password manager. Smart Lock – which has been available for Google’s Chrome browser since 2017 – now also lets iOS users set up their device as the second factor in two-factor authentication (2FA), meaning that

NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market.  The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses,

by John E Dunn As the world’s second-largest software company, Oracle has become an organisation built on big numbers. This includes the number of security patches it issues – which with the January 2020 update reached a joint record of 334, matching an identical number released in July 2018. Unlike rivals such as Microsoft, Oracle

An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm.  Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America.  Fidelis Cybersecurity is a leading provider of

by Paul Ducklin The word “Burisma” is all over the news at the moment – it’s a Ukranian energy company that, according to some claims, was broken into by Russian hackers looking for sensitive data to steal. As you can imagine, the way the hackers got in is supposed to have been by means of

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America’s government and military. The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet’s recent activities, researchers at Cisco Talos discovered that the US government

by Paul Ducklin On Monday this week, the big cybersecurity news was speculative. Was there a big, bad security bug in Microsoft Windows waiting to be announced the next day? On Tuesday, the big news was the announcement that everyone had been guessing about. Yes, there was a big bad bug, and it was in

Two Dagenham residents have been put behind bars after compromising more than 700 bank accounts and cell phone accounts to commit fraud in a six-year crime spree. Nigerian-born Oluwaseun Ajayi, aged 39, and 49-year-old Inga Irbe hacked into bank accounts then applied for loans, credit cards, and additional bank accounts in the names of their victims. 

by Danny Bradbury The CryptoAPI cryptographic bug that Microsoft reported in its Patch Tuesday release yesterday was so big that it warranted its own story. Here, we look at some of the other nasties that Microsoft fixed. Among the most serious bugs were remote code execution (RCE) flaws affecting the Windows Remote Desktop Gateway, which

An app designed to record and share milestones in a child’s development has leaked thousands of images and videos of babies online. Bithouse Inc., the developer of the Peekaboo Moments app, failed to secure a 100 GB Elasticsearch database containing more than 70 million log files dating from March 2019. As a result, information including

by Paul Ducklin The burning question of the moment is, “What about CVE-2020-0601?” That’s the bug number assigned to one of the security holes fixed in Microsoft’s January 2020 Patch Tuesday updates. Of the 50 bugs patched this month, that’s the Big One, officially described by Microsoft as a “Windows CryptoAPI Spoofing Vulnerability“. To explain.

The US government is planning to ground a fleet of nearly 1,000 drones it fears could be compromised by the People’s Republic of China (PRC). As reported by the Financial Times yesterday, the Interior Department is halting the use of over 800 drones that contain parts developed in the PRC.  The decision to ground the unmanned flying

by Paul Ducklin Here’s some goodish news: the Snake ransomware seems to have made the news last week on account of its name rather than its prevalence. Because, well, SNAKE! Like most ransomware, Snake doesn’t touch your operating system files and programs, so your computer will still boot up, log in, and let you open