Security

A Kentucky resident charged with human trafficking and the online promotion of underage sex workers has been accused of creating fake social media profiles to contact victims and dissuade them from testifying against him. Nigel Nicholas was first arrested in February 2018 and charged with two counts of human trafficking and one count of promoting

by John E Dunn Smash it, submerge it in water, and perhaps shoot it for good measure – just three of the methods criminals use to permanently erase digital evidence from smartphones. And yet, as many criminals have found out to their cost, reducing a device to a pile of smashed plastic and glass means

A California man could face up to 25 years in prison after pleading guilty to downloading child pornography and habitually hacking into the computer system of Japanese gaming giant Nintendo.  Ryan Hernandez was still a minor when, together with an associate, he used a phishing technique to steal the credentials of a Nintendo employee in 2016. The data

by John E Dunn Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction. The concept proposed by the company’s Safari WebKit team is

A data breach at Indian airline SpiceJet has exposed the personal information of over a million passengers. Access to the airline’s computer system was gained last month by a security researcher, who went on to report the breach to TechCrunch. Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of

by John E Dunn Now can’t be an easy time to be a professional drone pilot working for the US Department of the Interior (DOI). After years of enthusiastic expansion, in November 2019 the agency announced the temporary grounding of its fleet of Unmanned Aircraft Systems (UAS) over hacking fears unnamed sources claimed were connected

A county in the Pacific Northwestern state of Oregon is yet to fully recover from a ransomware attack that happened over a week ago. Cyber-criminals hit Tillamook County in a targeted attack last Wednesday, January 22. As a result, all internal computer systems under the county government, which 250 county employees rely on, went down.

by Danny Bradbury The UN suffered a major data breach last year after it failed to patch a Microsoft SharePoint server, it emerged this week. Then it failed to tell anyone, even though it produced a damning internal report. The news emerged after an anonymous IT employee leaked the information to The New Humanitarian, which

A notorious Russian threat group famed for its devastating ransomware attacks has funded a hacking competition being run on a dark web forum.  Sodinokibi—the creators of the REvil ransomware—stumped up $15,000 in prize money for the illegal hacking contest, which requires competitors to write original articles containing proof-of-concept videos or original code.  Articles can be

by Paul Ducklin If there’s one open source project with an unashamedly clear focus on security, it’s the OpenBSD operating system. In its own words, its efforts “emphasize portability, standardization, correctness, proactive security and integrated cryptography.” Indeed, numerous sub-projects under the OpenBSD umbrella have become well-known cybersecurity names in their own right, notably OpenSSH –

An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility’s executives.  The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from

by Alice Duckett This week we discuss 70,000 images being stolen from Tinder, the weleakinfo.com FBI bust and how Sonos annoyed its longstanding customers. Host Anna Brading is joined by Sophos experts Mark Stockley, Greg Iddon and producer Alice Duckett. Listen now! LISTEN NOW Click-and-drag on the soundwaves below to skip to any point in

A hacker has taken to Twitter to share design secrets they allegedly obtained by compromising American automotive and energy company Tesla.  Posting on the account @greentheonly on Friday night, a hacker who calls themself “Green” said that Tesla was planning to introduce new hardware to their S and X model cars.  Modifications that Green claims are in the

by Paul Ducklin Apple has just announced its latest round of security updates. As usual, Apple’s fixes arrived unheralded, given the company’s insistence that security fixes are best handled simply by publishing them when they’re ready, rather than following any sort of formal schedule. Not everyone agrees – Microsoft has followed its Patch Tuesday process

The US Securities and Exchange Commission (SEC) has published a 10-page document detailing cybersecurity practices observed to be in use in the financial industry. The observations were gathered by the SEC’s Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants. OCIE

by Paul Ducklin Today is Data Privacy Day. As we say every year, Data Privacy Day is more than just a 24-hour period when you try to keep safe online. It’s a day to think about changes you can make in your digital life that will keep you safer today, and tomorrow, and the day

US senators have proposed a bill that would drastically reform the surveillance practices of the National Security Agency (NSA) and increase oversight of government surveillance. Titled The Safeguarding Americans’ Private Records Act, the bill was introduced on Thursday by Senators Ron Wyden, Zoe Lofgren, Pramila Jayapal, Warren Davidson, and Steve Daines.  According to a statement on Wyden’s website, the changes

by Danny Bradbury Aleksai Burkov, a Russian cybercriminal responsible for over $20m in credit card fraud, pleaded guilty last week for access device fraud, identity theft, computer intrusion, wire fraud, and money laundering, after being indicted four years ago for operating a carding website called Cardplanet. This website, which ran from 2009 until 2013, served

London’s Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals.  After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images

by Lisa Vaas New York police have arrested yet another man suspected of running the clickfraud factory known as Methbot: a farm of 1,900 data servers rented to host 5,000 bogus websites and to concoct fictional traffic coming from fake visitors, thereby running up profits from advertising fraud. Methbot got its name from White Ops,

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC).  Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security’s Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain

by Danny Bradbury The street outside ICANN’s offices in Playa Vista, California, may be a little more crowded than normal. People worried about the .org top-level domain will be there protesting its sale to a private equity firm. They’ll be handing over a petition signed by over 21,000 people to the Internet Corporation for Assigned

A Russian man has pleaded guilty to running an illegal online marketplace that sold stolen payment card credentials to criminals, who used them to make over $20m in fraudulent purchases. Before a United States court, Aleksei Burkov admitted operating the Cardplanet website, which sold card data acquired through illegal computer intrusions. Many of the cards offered for sale

by John E Dunn Far from protecting the security and privacy of Safari users as advertised, Apple’s much-vaunted Intelligent Tracking Prevention (ITP) could leave them exposed to a raft of privacy issues, including – ironically – being tracked. That’s the surprising conclusion of a group of Google researchers who this week published a short but

America’s Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet. Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim’s computer. This sophisticated strain of

by Chester Wisniewski The scene stealer in January’s Patch Tuesday updates from Microsoft was CVE-2020-0601, a very serious vulnerability in the crypt32.dll library used by more recent versions of Windows. The flaw, which also goes by the names Chain of Fools and Curveball, allows an attacker to fool Windows into believing that malicious software and websites

Brazilian prosecutors have denounced American journalist Glenn Greenwald for his alleged involvement with a cybercrime organization that hacked cell phones to commit bank fraud. Greenwald is best known for a series of reports published from June 2013 by The Guardian newspaper that detailed the global surveillance programs of the United Kingdom and the United States.

by Paul Ducklin Microsoft has today announced a data breach that affected one of its customer databases. The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world. Microsoft didn’t

A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification.  Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its “Cyber Managed” notation. The notation is based on BV’s rule

by John E Dunn Citrix has issued its first set of patches fixing a nasty vulnerability that’s been hanging over some of its biggest products. The flaw, identified as CVE-2019-19781 on 17 December 2019, affected Citrix’s Application Delivery Controller (ADC) load and application balancer, and the Citrix Gateway Virtual Private Network (VPN) appliance (previously known