Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. It’s, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of
admin
Advances in cybersecurity must focus on increasing trust in digital technologies, according to Professor Adam Joinson, director of DiscribeHub+ and Professor of Information Systems at the University of Bath. This message was delivered during a talk about the socioeconomic impact of security on trust at the final leg of Digital Security by Design (DSbD) Roadshow in Northern Ireland, UK,
by Paul Ducklin LISTEN NOW What do ransomware blackmailers ask for when they don’t want money? Why did Firefox get two updates in three days? How did Adafruit get hoist by the petard of “shadow IT”? And what’s with those dirty Linux pipes? Click-and-drag on the soundwaves below to skip to any point. You can
Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 80,000 One extension,
How can you tell fact from fiction and avoid falling for and spreading falsehoods about the war in Ukraine? The Russian invasion of Ukraine has led to a torrent of fake news, misinformation and disinformation being spread on social media. The fabricated, manipulated and otherwise false and misleading content and narratives reach a global audience
The Russian government has established its own TLS certificate authority (CA) to address issues with accessing websites that have arisen in the wake of sanctions imposed by the west following the country’s unprovoked military invasion of Ukraine. According to a message posted on the Gosuslugi public services portal, the Ministry of Digital Development is expected
Microsoft has released fixes for a relatively small number of CVEs this month, with only three critical bugs and three publicly disclosed flaws in the Patch Tuesday roundup. None of the three zero days have been exploited in the wild. They include CVE-2022-24512, a remote code execution (RCE) vulnerability in .NET and Visual Studio. “According to Microsoft,
Security researchers have revealed a major new campaign by Chinese state hackers in which they exploited Log4Shell and other bugs to compromise at least six US state government networks. Mandiant claimed the activity between May 2021 and February 2022 indicated a deliberate campaign. However, it could not say definitively whether the prolific group known as
Over 100 current and former employees of a leading luxury car dealership are starting legal proceedings against the company after being left in the dark following a major data breach. Law firm Hayes Connor said today that the individuals had failed to get answers from LSH Auto after being contacted over six months ago to say a
The UK could be heading for a “cyber disaster” if it continues with its current approach to cybersecurity. This was the message of Professor John Goodacre, challenge director – Digital Security by Design, UKRI, and Professor of Computer Architectures, The University of Manchester, speaking during the latest leg of the DSbD roadshow, in Newport, Wales,
Social media sites and search engines will be forced to prevent fraudulent adverts from appearing on their platforms under new proposals published by the UK government. The new legal duty will require the most popular social media platforms to stop paid-for fraudulent adverts from appearing on their services. This measure is designed to protect internet
Ciaran Martin will present the headline keynote on day one Infosecurity is excited to announce two leading industry figures headlining the upcoming Infosecurity Magazine Spring Online Summit, taking place on March 22 and 23 2022. Day one (EMEA) of the event will see a headline keynote from the National Cyber Security Centre (NCSC)’s founding CEO Ciaran Martin, currently Professor
A Romanian man has been extradited to the United States to face charges relating to the sale of stolen financial data on the dark web. Sorin Becheru is suspected of conspiring with others to sell stolen credit card numbers obtained using malware. Romanian authorities arrested the 34-year-old resident of Bucharest on January 1 2022 at the request
A lengthy investigation into the online trade of child sexual abuse material (CSAM) has led to the arrest of dozens of individuals based in New Zealand. Led by New Zealand’s Te Tari Taiwhenua Department of Internal Affairs (DIA), the two-year international operation identified more than 90,000 online accounts that possessed or traded CSAM. DIA’s Digital
Most consumers prefer to bank digitally rather than in person but are worried about the risk of fraud, according to new research by payments and data security company, Entrust. A survey of 1350 consumers who made or received digital payments in the past 12 months found that 88% of respondents prefer to do their banking online in some
Pro-Ukraine hackers have compromised a large number of Russian cloud databases, deleting data, renaming files and potentially exfiltrating information for future attacks, researchers have confirmed. Jeremiah Fowler and a team at Website Planet decided to look at the campaign to “hack back” at Russian entities following the invasion of Ukraine. The Anonymous hacking collective announced
by Paul Ducklin WordPress plugins need to be kept up-to-date just as keenly as WordPress itself… …especially if those plugins are designed to help you look after the entirety of your WordPress site data. That’s why we thought we’d write about a recent warning from the creators of Updraft and Updraft Plus, which are free
by Paul Ducklin When the Apple AirTag hit the market in 2021, it immediately attracted the attention of hackers and reverse engineers. Could AirTags be jailbroken? Could AirTags be simulated? Could the AirTag ecosystem be used for purposes beyond Apple’s own imagination (or at least beyond its intentions)? We soon found ourselves writing up the
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
by Paul Ducklin If you use Mozilla Firefox or any Chromium-based browser, notably Google Chrome or Microsoft Edge, you’ll know that the version numbers of these products are currently at 97 and 98 respectively. And if you’ve ever looked at your browser’s User-Agent string, you’ll know that these version numbers are, by default, transmitted to
by Paul Ducklin We monitor a range of email addresses related to Naked Security, so we receieve a regular (a word we are using here to mean “unrelenting”) supply of real-world spams and scams. Some of our email addresses are obviously directly associated with various Sophos-related social media accounts; others are more general business-oriented addresses;
by Paul Ducklin Just over a year ago, graphics card behemoth Nvidia announced an unexpected software “feature”: anti-cryptomining code baked into the drivers for its latest graphics processing units (GPUs). Simply put, if the driver software thinks you’re using the GPU to perform calculations related to Ethereum cryptocurrency calculations, it cuts the execution speed of
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
by Paul Ducklin Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical. Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first: We have had reports of attacks
by Paul Ducklin Popular open-source computer hardware company Adafruit Industries accidentally exposed customer data… …via the GitHub account of a former employee. As you’ve probably figured out already, Adafruit is named after after Ada Lovelace, a nineteenth-century British intellectual who was a computer programmer long before any programmable computers existed. As mysterious as that might
by Paul Ducklin Max Kellermann, a coder and security researcher for German content management software creators CM4all, has just published a fascinating report about a Linux kernel bug that was patched recently. He called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and
Summary The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals. Secureworks® Counter Threat Unit™ (CTU) analysis of ShadowPad samples
Have you ever been online and replied to a comment or post? Maybe it was on Reddit or on an influencer’s Instagram. Did other people reply to you, and were any of them unexpectedly hostile? When you’re online, a little hostility is sadly par for the course, but most people brush it off and move
While our tweens and tweens seem to grow into adults right before our eyes, their mobile usage matures into adulthood as well—and in many ways, we don’t see. Girls and boys hit their mobile stride right about the same point in life, at age 15 where their mobile usage jumps significantly and reaches a level
We’re excited to bring you the latest edition of the McAfee 2022 Consumer Mobile Threat Report. After all, when you know the challenges you face, it’s easier to be confident online. In this blog, we’ll take a closer look at some leading examples of techniques that cybercriminals are using to trick or defraud you via