Security

by Paul Ducklin Like many countries, the UK runs a census every ten years. The census asks each household in the country to provide answers to a series of questions about the individuals living at that address, such as name, age, nationality, languages spoken, education, employment and health. (More precisely, the census requires answers, rather

The American Civil Liberties Union (ACLU) has filed a Freedom of Information Act (FOIA) request to find out how America’s national security and intelligence agencies are using artificial intelligence (AI). The ACLU said it made the request out of concern that AI was being used in ways that could violate Americans’ civil rights.  The request follows the March

The United States’ Internal Revenue Service (IRS) has issued a warning over an ongoing phishing scam targeting higher education establishments in the United States.  In a statement released yesterday, the IRS said that it was being actively impersonated over email by cyber-attackers seeking to trick victims into handing over sensitive data.   Students and staff have received

by Paul Ducklin Open source web programming language PHP narrowly avoided a potentially dangerous supply chain attack over the weekend. Technically, in fact, you could say that the “attack” was successful, given that imposters were apparently able to make to make the same source code change on two separate occasions: Code change in Trojanised ext/zlib/zlib.c

A fictional dog is to teach elementary and middle school kids how to maintain a secure digital footprint in a new book co-authored by Fortinet’s deputy CISO.  Lacey the pooch is the creation of Renee Tarun, a cybersecurity veteran of two and half decades. The character is based on Tarun’s pet chocolate Labrador, Lacey, who died

by Paul Ducklin Cybercrime isn’t about just one sort of attack, one type of crook, or one method of protection! Learn more: Watch directly on YouTube if the video won’t play here.Click the on-screen Settings cog to speed up playback or show subtitles. Why not join us live next time? Don’t forget that these talks

A Plano resident has been sent to prison for his part in a multimillion-dollar fraud and money-laundering scheme that victimized school districts, charities, and senior citizens.  In October last year, Babatope Joseph Aderinoye was found guilty of conspiracy to commit bank fraud, wire fraud, and money laundering; wire fraud; aggravated identity theft; and mail fraud.  According to

by Paul Ducklin We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it. OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its

The Federal Bureau of Investigation has issued a flash alert to Americans highlighting the dangers of Mamba ransomware. According to the Bureau, Mamba has been deployed against local governments, public transportation agencies, legal services, technology services, and industrial, commercial, manufacturing, and construction businesses. The ransomware works by weaponizing an open source full-disk encryption software called DiskCryptor. By encrypting an entire

by Paul Ducklin Apple has just pushed out an emergency “one-bug” security update for its mobile devices, including iPhones, iPads and Apple Watches. Even users of older iPhones and iPads who are still on the officially-supported iOS 12 version need to patch, so the versions you should be updating to are as follows: iOS 14

Four states have been chosen by the National Governors Association (NGA) for its 2021 Policy Academy to Advance Whole-of-State Cybersecurity.  Kansas, Missouri, Montana, and Washington have all been selected by the NGA Center for Best Practices to work directly with the NGA on cybersecurity governance, workforce development, and government partnership policies.  “Representatives of the four states will

by Paul Ducklin Regular Naked Security readers will know we’re huge fans of Alan Turing OBE FRS. He was chosen in 2019 to be the scientist featured on the next issue of the Bank of England’s biggest publicly available banknote, the bullseye, more properly Fifty Pounds Sterling. (It’s called a bullseye because that’s the tiny,

An American healthcare provider whose data was allegedly exfiltrated to an Amazon storage account by a cyber-attacker has taken legal action against Amazon.  As many as 85,688 patient and employee records were compromised last week when a threat actor seemingly based in Ukraine struck SalusCare, the largest provider of behavioral healthcare services in Southwest Florida. The attacker is

by Paul Ducklin How a social engineer ripped off a victim lured in by one of those “small outstanding fee to pay” home delivery scams. The ransomware crooks targeting networks that still haven’t done their Hafnium patches. And the Linux kernel security holes that lay there undiscovered for 15 years. With Kimberly Truong, Doug Aamoth

A political activist from Ohio has denied impersonating a leader of the political group Black Lives Matter on social media for his own personal profit. Toledo resident Sir Maejor Page, a.k.a. Tyree Conyers-Page, was arrested in September on one count of wire fraud and two counts of money laundering. An investigation was launched into the 32-year-old after

by Paul Ducklin It’s three weeks since the word HAFNIUM hit the news. The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot. The Hafnium

Relay Medical Corporation has completed the acquisition of an Internet of Things (IoT) cybersecurity firm based in Toronto, Canada. The completion of the deal to acquire Cybeats Technologies Inc was announced yesterday, just 20 days after news of the transaction was published. Cybeats was founded in 2016 by Peter Pinsker, Dmitry Raidman, and Vladislav Kharbash. The company

by Harriet Stone Since its launch in 2010, Instagram has seen more than 1 billion accounts opened, and users on the service share close to 100 million photos every day. Instagram’s popularity may be down to the fact that it is a social media network like no other, offering a unique visual twist. Unlike Twitter

The approach organizations should take to develop and maintain an effective DevSecOps culture were highlighted by Patrick Debois, director of market strategy at Snyk during a session at the Infosecurity Magazine Online Summit EMEA 2021. Debois firstly emphasized the importance of an organization’s culture in determining the DevSecOps strategy that should be employed. “The CEO and culture of your company will

by Paul Ducklin Just one tiny line of script in your Xcode project – and you’ve been pwned! Learn all about it, and what you can do to avoid supply chain problems if you’re a coder yourself: Watch directly on YouTube if the video won’t play here.Click the on-screen Settings cog to speed up playback

Police in India have arrested 34 people for allegedly impersonating Apple and McAfee employees to con foreign nationals out of their money. The defendants were detained during a March 20 raid on two fake call centers located in the same building in Uttam Nagar, a mostly residential area in southwestern New Delhi. Delhi Police’s Cyber

The Ontic Center for Protective Intelligence has launched a new monthly honor program to recognize the pioneers and thought leaders driving the physical security and protection industry.  Each month, the program will recognize groundbreaking professionals who have developed either new models or new areas of knowledge, and veteran practitioners who are actively contributing to advancing their industry.  Among

by Paul Ducklin Remember when a whole bunch of celebs and top brands apparently went crazy tweeting about Bitcoin? It happened in July 2020, when many prominent blue-badged Twitter accounts suddenly starting sending out scammy cryptocoin messages. Fake tweets were blasted out from compromised accounts belonging to an eclectic range of high-profile people and companies,

An advanced persistent threat group (APT) with links to the Chinese government has been blamed for a cyber-espionage attack on Finland’s parliament.  The Finnish Security and Intelligence Service (Supo) announced on Thursday that APT31 was behind a cyber-espionage campaign that targeted the Finnish parliament last fall.  Security companies including Checkpoint and FireEye have linked APT31’s activities with the state cyber-operations of

by Paul Ducklin Remember XcodeGhost? It was a pirated and malware-tainted version of Apple’s XCode development app that worked in a devious way. You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway.

A Swiss software developer has been indicted by the US government for allegedly stealing source code and proprietary data and publishing it online. On March 18, a grand jury indicted 21-year-old Till Kottman for identity and data theft and computer-intrusion crimes spanning 2019 to the present.   Lucerne resident Kottman, also known as “deletescape” and “tillie crimew,” allegedly conspired with

by Paul Ducklin An iPhone app that allowed anyone to snoop on anyone’s calls. A data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently “secured” by a single password. And please don’t forget: “Don’t spread hoaxes, folkses.” With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music by

A 50-year-old mom from Pennsylvania has been arrested after allegedly using deepfake technology to tarnish the reputations her daughter’s cheerleading rivals. Raffaela Marie Spone, of Chalfont, Bucks County, is accused of using technological trickery to make videos that appear to show members of a cheerleading group naked, smoking, or drinking.  The deepfake videos were sent

by Paul Ducklin Researchers at cybersecurity company GRIMM recently published an interesting trio of bugs they found in the Linux kernel… …in code that had been sitting there inconspicuously for some 15 years. Fortunately, it seemed that no one else had looked at the code for all that time, at least not diligently enough to

IT industry association CompTIA has launched a new training catalogue designed to facilitate the development of outstanding IT apprenticeships. The CompTIA Apprenticeship Training Solutions Catalogue will make it easier for training providers and their staff to understand how CompTIA learning objectives map to the UK’s digital apprenticeship standards. Linking directly to mapping documents, learning objectives