Security

To ensure that digital systems and products have security built in by design, the US federal government and cybersecurity professionals have been calling for greater investment in skills and training in cybersecurity throughout the tech sector. Despite CISA Director Jen Easterly recently calling for universities to include security as a standard element in computer science

by Paul Ducklin If you’re a Google Chrome or Microsoft Edge browser fan, you’re probably getting updates automatically and you’re probably up to date already. However… …just in case you’ve missed any updates recently, we suggest you go and check right now, because the Chromium browser core, on which both Edge and Chrome are based,

Popular software tools such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace have been trojanized to distribute the malware known as Bumblebee. Secureworks’ Counter Threat Unit (CTU) analyzed the findings in a report published on Thursday, saying the infection chain for several of these attacks relied on a malicious Google Ad that sent users to

The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines. The claims come from Fortinet security researchers and were described in an advisory published on Thursday. “[We] observed this malware in a phishing email campaign [disguised as account

An employee from the US Consumer Financial Protection Bureau (CFPB) has reportedly forwarded confidential records of roughly 256,000 consumers and confidential supervisory information of approximately 50 institutions to a personal email account. Congressman Bill Huizenga addressed the claims in a letter to CFPB director, Rohit Chopra, dated April 18. “At the time of your notification,

by Paul Ducklin Logging software has made cyberinsecurity headlines many times before, notably in the case of the Apache Log4J bug known as Log4Shell that ruined Christmas for many sysadmins at the end of 2021. The Log4Shell hole was a security flaw in the logging process itself, and boiled down to the fact that many

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible. According to security researchers at Mandiant, the initial compromise was traced back to malware from financial software firm Trading Technologies’ website. The first attack saw hackers place a backdoor into

by Paul Ducklin LOOPING THE LOOP No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS

A threat actor associated with Iranian nation-state hackers has been weaponizing N-day vulnerabilities, as well as deploying new techniques to access environments of interest. The threat actor is a sub-group of Mint Sandstorm – a gang also known as Phosphorus and associated with APT35, APT42, Charming Kitten and TA453 – reported an advisory published by Microsoft on

Security researchers have discovered a new malicious software library capable of collecting lists of installed applications, a history of Wi-Fi and Bluetooth device information as well as nearby GPS location data. Dubbed Goldoson by McAfee’s Mobile Research Team, the library can also load web pages without user awareness and perform advertisement fraud by clicking on

by Paul Ducklin We’ve said this before, but we’ll repeat it again here: Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national ID number, and perhaps including additional

The state of Montana in the US has become the first to pass legislation banning TikTok on personal devices. The bill, SB 419, passed by a vote of 54 to 43, mentions several concerns about TikTok, such as alleged surveillance from the Chinese government as well as the encouragement of “dangerous activities” among youth using the app.

by Paul Ducklin If you’d never heard the cybersecurity jargon word “juicejacking” until the last few days (or, indeed, if you’d never heard it at all until you opened this article), don’t get into a panic about it. You’re not out of touch. Here at Naked Security, we knew what it meant, not so much

Automotive manufacturer Hyundai has recently disclosed a breach that has affected an unspecified number of Italian and French car owners as well as individuals who booked a test drive. The company notified affected individuals via email. Several of them posted a screenshot of the message on Twitter earlier this week. “I am sorry to inform

The “Read The Manual” (RTM) Locker group has been observed targeting corporate environments with ransomware and forcing their affiliates to follow a strict set of rules. According to an advisory published on Thursday by Trellix cybersecurity experts, the businesslike approach of the group (also observed in other threat actors, such as Conti) shows its organizational maturity.

Several cybersecurity organizations worldwide have jointly published a new series of guidelines to aid manufacturers in prioritizing cybersecurity practices while designing products. The paper was developed by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the UK,

The Iowa Department of Health and Human Services (HHS) in the US confirmed on Tuesday that the personal data of 20,800 Iowans who receive Medicaid was exposed due to a cyber-attack. According to the department, the Iowa Medicaid system itself was not compromised. Instead, the breach was due to an attack on a contractor’s computer systems

by Paul Ducklin I’M SORRY, DAVE, I’M AFRAID… SORRY, MY MISTAKE, I CAN DO THAT EASILY No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts

The US Cybersecurity and Infrastructure Security Agency (CISA) published the second version of its Zero Trust Maturity Model on Tuesday, which incorporates recommendations from a public comment period. The updated guidelines aim to further the federal government’s progress toward a zero trust approach to cybersecurity in support of the new National Cybersecurity Strategy. Read more

by Paul Ducklin It’s Patch Tuesday Week (if you will allow us our daily pleonasm), and Microsoft’s updates include fixes for a number of security holes that the company has dubbed Critical, along with a zero-day fix, although the 0-day only gets a rating of Important. The 0-day probably got away with not being Critical

Malicious Android apps have been found for sale on the darknet and are being sold for up to $20,000, according to security researchers at Kaspersky. The company described the findings in an article published on Monday, in which it said the team collected examples from nine different darknet forums where these apps are being sold. “Like

by Paul Ducklin If you’re a gamer or an avid squeezer of raw computing power, you’ve probably spent hours tweaking your motherboard settings to eke out every last drop of performance. Over the years, you might even have tried out various unofficial firmware bodges and hacks to let you change settings that would otherwise be

Spanish police have arrested a 19-year-old who they claim represents a national security threat due to the magnitude of the cyber-attacks he has conducted. An investigation into Jose Luis Huertas (aka “Alcasec”) began after he allegedly hacked the national council of the judiciary (CGPJ) and tax agency, and stole data on over half a million Spaniards.

by Paul Ducklin Last week, we warned about the appearance of two critical zero-day bugs that were patched in the very latest versions of macOS (version 13, also known as Ventura), iOS (version 16), and iPadOS (version 16). Zero-days, as the name suggests, are security vulnerabilities that were found by attackers, and put to real-life

When a man arrived in the middle of the night at a North London hospital and was emotionally upset, distressed, with seizure-like movements and unable to speak, Isabel Straw, an NHS emergency doctor, first struggled to find the reason because all the tests her team performed on him did not reveal any issues. That is

by Paul Ducklin We’ve written before, back in 2022, about a code execution hole in the widely-used JavaScript sandbox system vm2. Now we’re writing to let you know about a similar-but-different hole in the same sandbox toolkit, and urging you to update vm2 if you use (or are reponsible for building) any products that depend

Google has unveiled a new policy for Android apps that enable account creation. The rule mandates such apps to provide users with an option to delete both the accounts and the data associated with them. Describing the new feature in a blog post published on Wednesday, Bethel Otuteye, senior director of product management at Android

by Paul Ducklin Apple just issued a short, sharp series of security fixes for Macs, iPhones and iPads. All supported macOS versions (Big Sur, Monterey and Ventura) have patches you need to install, but only the iOS 16 and iPadOS 16 mobile versions currently have updates available. As ever, we can’t yet tell you whether

A mid-sized law firm representing Uber has notified an unknown number of its drivers that sensitive data has been exposed and stolen due to a cyber-attack. New Jersey-based Genova Burns disclosed the breach in an email to customers first obtained by The Register. “We determined that an unauthorized third party gained access to our systems,

Threat actors focusing on phishing techniques have been increasingly using Telegram to automate their activities and provide various services. The findings come from cybersecurity experts at Kaspersky, who described the new trend in a Wednesday advisory authored by web content analyst Olga Svistunova. “To promote their ‘goods,’ phishers create Telegram channels through which they educate