Security

A Russian hacker who was instrumental in one of the largest thefts in history of US customer data from a single financial institution  has been sentenced to prison.  Moscow resident Andrei Tyurin, also known as Andrei Tiurin, was part of an international hacking campaign that compromised the computer systems of major financial institutions, brokerage firms, news agencies,

by Paul Ducklin Towards the end of 2020, a researcher at Dutch cybersecurity company EYE was taking a look at the firmware of a Zyxel network router. He examined the password database that shipped in the firmware and noticed an unusual username of zyfwp. That name didn’t show up in the official list of usernames

The notorious Emotet Trojan is back at the top of the malware charts, having had a makeover designed to make it more effective at escaping detection. Check Point’s newly released Global Threat Index for December 2020 revealed that the malware variant bounced back from fifth place in November. It now accounts for 7% of malware

by Paul Ducklin We advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music: Edith Mudge. LISTEN NOW

Thousands of Department of Justice (DoJ) email accounts were accessed by SolarWinds attackers last year, the department has confirmed. The DoJ issued a brief statement yesterday to shed more light on the impact of the attacks, which the government has so far acknowledged and blamed on Russia, but done little else to clarify. “On December

The volume of dark web forum members is on the rise, with visitor numbers surging 44% during the first COVID-19 lockdowns last year, according to new data from Sixgill. The cyber-intelligence firm analyzed five popular English and Russian language forums to better understand their popularity over time and who is responsible for most activity. Collating

by Paul Ducklin HTTPS, as you probably know, stands for secure HTTP, and it’s a cryptographic process – a cybersecurity dance, if you like – that your browser performs with a web server when it connects, improving privacy and security by agreeing to encrypt the data that goes back and forth. Encrypting HTTP traffic from

Cyber-attacks on global healthcare organizations (HCOs) increased at more than double the rate of those targeting other sectors over the past two months, according to Check Point. The security vendor’s latest data covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October), a

Microsoft has revealed that the nation state group behind a recent global cyber-espionage campaign managed to view some of the firm’s source code. The tech giant has provided several updates in the wake of the discovery of the campaign, which appears to have targeted mainly US government agencies and tech firms and has been linked

The European Court of Human Rights has fallen victim to a cyber-attack after publishing a ruling regarding the fate of an incarcerated Turkish political leader.  According to Bloomberg, hackers struck at the Court’s website on Tuesday, knocking it offline for approximately 16 hours. The website has now been restored, and the order is one again accessible

A man from New York City has been charged with waging a grim cyber-stalking campaign against a female college student.  Desmond Babloo Singh allegedly created over 100 accounts on social media platforms and email services and used them to harass a former classmate of his sister for whom he claimed to have developed romantic feelings.  Nineteen-year-old Singh

Dozens of customers of a popular smart doorbell are suing the Amazon-owned manufacturer after their devices were hijacked, according to a new class action lawsuit. The new legal case joins together complaints filed by over 30 users in 15 families who say that their devices were hacked and used to harass them. They allege that

America’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over the widespread impact of a recent hacking attack that compromised the SolarWinds Orion software supply chain. The assault on SolarWinds hit the headlines earlier this month after it was discovered and disclosed by researchers at FireEye. The advanced persistent threat (APT) group behind the attack was

An ethical hacker from Romania has become the first person to earn $2m in bug bounties through the bounty hunting platform HackerOne. Talented hacker Cosmin Lordache, also known by his HackerOne handle @inhibitor181, hit his first significant earning milestone almost a year ago when he became the seventh person to pass the million-dollar earning milestone by reporting 468

A misconfigured cloud storage bucket has exposed the personal details of hundreds of social media influencers, potentially putting them at risk of fraud and harassment, according to researchers. A team at vpnMentor discovered the AWS S3 bucket wide open with no encryption or password protection, back in early November. Action has apparently yet to be

by Paul Ducklin Thanks to Naked Security reader M Carter for their help with this article. Last week, we warned of a Facebook Messenger scam that used a bogus video to lure you onto a phoney Facebook login page. In that scam, the crooks were using stolen Messenger passwords to phish for yet more Messenger

A majority of UK businesses are failing to adequately train their remote working employees to spot security threats, according to new research from iomart. The cloud services company based its Cyber Security Insights Report on the views of 1167 UK workers at C-level, director, manager and employee level. It found that over a quarter (28%)

by Paul Ducklin Here’s our latest Naked Security Live talk, discussing IM scams and how to avoid them, as well as giving you some pointers on how to think like a scammer and thereby stay one step ahead. Don’t forget that receiving a message from a friend’s account doesn’t always mean your friend actually sent

The US Senate has unanimously passed a new bipartisan bill designed to punish foreign firms that actively seek to steal American intellectual property (IP). Co-authored by senators Chris Van Hollen and Ben Sasse, the Protecting American Intellectual Property Act will allow the authorities to place sanctions on firms and individuals associated with such activity. It

Co-authored by Juan Badell and Russell Petrich As two people for whom creating phishing emails constitutes legitimate employment (we are on the product team behind the Sophos Phish Threat phishing simulation service) we know we’re in the minority. Like our not-so-lawful counterparts, we spend our days using social engineering techniques to trick people into opening