by Naked Security writer Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time. Monday 10 September 2018 Apple’s new tool will make it easier for law enforcement to request data Supermicro servers fixed after insecure firmware updating discovered North Korean programmer charged for Sony, WannaCry
Security
Cyber Security Reviews – Security will bring to our readers whats happening on the Security scene around the world.
In response to reports that the US State Department is lagging in its implementation of basic cybersecurity standards, a group of bipartisan senators have written a letter to Secretary of State Mike Pompeo urging him to augment security mechanisms and improve compliance. The senators point out that the password-only approach is not reliable protection, particularly
by John E Dunn If password-only security is reaching its end of days, what will replace it? For years, many have assumed that some form of new authentication must be the answer without being able to agree on which. Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has
by Danny Bradbury A wily hacker has scored a thousand dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain. EOS is a blockchain-based cryptocurrency launched by Block.one, and it is a competitor to the more established Ethereum.
Microsoft Office documents accounted for the delivery of nearly half of all malicious macros in August 2018, according to Cofense. A recent blog post found that the macro remains the email attachment of choice for delivering malicious payloads. Of all the mechanisms analyzed, 45% of attackers used these documents to delivery malicious macros, including Geodo,
The ICO has received 500 calls each week to its breach reporting helpline since the GDPR came into force in May, but around a third of these don’t meet the minimum threshold, according to the deputy commissioner of operations. James Dipple-Johnstone told the CBI Cyber Conference in London this week that the UK privacy watchdog
by Lisa Vaas Do you feel lucky? Well, do ya, punk? Then go right ahead and hit the “buy” button to pick up a movie on iTunes. Then, be ready to kiss that movie goodbye if Apple loses the rights to distribute it. Yes, it turns out Apple’s iTunes shop is more of a “store
The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers’ Week. Service provider Jisc told local reporters that it believes the university’s is the only domain affected. A spokesman told the Edinburgh Evening News that the university has “rigid measures in place”
by Danny Bradbury California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post. The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in
Microsoft released fixes for over 60 CVEs yesterday as part of its monthly update round, three of which have been publicly disclosed and one which was being actively exploited in the wild. CVE-2018-8440 is an Elevation of Privilege vulnerability in Windows Advanced Local Procedure Call (ALPC) which was disclosed by researcher and Twitter user @SandboxEscaper
by Paul Ducklin Fancy driving a Tesla, but can’t convince your local dealer to let you have a go? If it’s a Model X you’re after, and you don’t mind going to prison for a while if you get caught, you might now be able to fulfil your dream. Cybersecurity researchers at the Catholic University
by John E Dunn Is the Keybase secure messaging browser extension safe to use or not? Respected researcher Wladimir Palant (of AdBlock Plus fame) is so convinced that it isn’t that he has recommended users “uninstall the Keybase browser extension ASAP,” after he discovered what looks like a gap in its claim to offer end-to-end
Germany-based researchers found a way to spoof certificates, even those protected with PKI-based domain validation, according to the Register. With nothing more than a laptop, the group was able to steal credentials and eavesdrop on certificate authorities. “We evaluated the attack against a number of CAs and we set up a live (automated) demo against one
by Lisa Vaas A former NASA contractor has been arrested for allegedly sextorting nude photos out of women. The US Department of Justice (DOJ) said on Wednesday that Richard Gregory Bauer, 28, a former contractor at NASA Armstrong Flight Research Center who used aliases including “Steve Smith,” “John Smith,” and “Garret,” was arrested by special
An analysis of ICS (industrial control systems) computers revealed a consistent increase in the percentage of attacks, according to a new ICS CERT report from Kaspersky Lab. The Kaspersky Lab report, Threat Landscape for Industrial Automation Systems in H1 2018, indicated that 41.2% of ICS computers protected by Kaspersky Lab solutions were attacked by
by Lisa Vaas On Monday, the most outspoken member of a distributed denial of service (DDoS) gang – a British teenager – pleaded guilty to making bomb threats to thousands of schools and to a United Airlines flight between the UK and San Francisco while it was in mid-air last month. According to the National
The US government has turned up the heat on Pyongyang after indicting a North Korean citizen and member of the infamous Lazarus Group for the attacks on Sony Pictures Entertainment (SPE), Bangladesh Bank and the infamous WannaCry ransomware. Filed on June 8, 2018 in Los Angeles federal court and posted today, the indictment alleges that programmer
by Lisa Vaas It’s one thing to slip spyware onto somebody’s phone so you can surreptitiously intercept text messages, call logs, emails, location tracking, calendar information and record conversations – that kind of privacy-spurning stuff. It’s another thing entirely to be the company that makes and markets the software… and – the coup de GAH!
Dutch security researcher Willem de Groot, who’s particularly interested in security problems on online payment sites, recently wrote about a long-running Magento malware campaign. Magento is to ecommerce what WordPress is to blogging – you can run the open source version on your own servers; you can use an ecommerce partner who’ll run a Magento
Google has started restricting ads for tech support services ahead of rolling out a verification program to deal with rising levels of fraud enabled by advertising on its search platform. The search giant claimed to have taken down more than 3.2 billion ads that violated its advertising policies: amounting to over 100 per second. However,
by Paul Ducklin We went on camera to discuss some fascinating research that set out to meaure what your video screen lets slip about you behind your back. Enjoy… (Watch directly on YouTube if the video won’t play here.) DEEP LEARNING FOR DEEPER CYBERSECURITY Watch Video Follow @NakedSecurity Follow @duckblog
A recent survey of nearly 200 IT professionals about insider threats found that nearly half of the participants believed they could successfully attack their organizations from the inside. In a blog post earlier this week Imperva researchers reported on insider threats and revealed the findings of the recent survey. Of the 179 IT professionals who participated in the
Even though the majority of companies across the globe have implemented cybersecurity standards, a new report from IT Governance USA found that companies still believe they are the likely target of an attack. Since 2017, there has been a 25% increase in data breaches, according to the ISO 27001 Global Report, which also revealed that
A campaign recently reported by Farsight Security involved an internationalized domain name (IDN) “homograph-based” phishing website that tricked mobile users into inputting their personal information. The suspected phishing websites presented as commercial airline carriers – specifically Delta Airlines, easyJet and Ryanair – and offered free tickets, fooling users with the age-old bait-and-switch technique. Users were asked
by Danny Bradbury US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t. Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week. The text of