Security

Spain’s Policia Nacional has teamed up with the US Secret Service to dismantle a cybercrime gang that stole millions of dollars from US citizens and companies. Nine suspected members of the group have been arrested – eight in Madrid and one in Miami – after receiving close to €5m ($5.4m) from their victims, which they

by Paul Ducklin Apple has just released updates for all supported Macs, and for any mobile devices running the very latest versions of their respective operating systems. In version number terms: iPhones and iPads on version 16 go to iOS 16.3.1 and iPadOS 16.3.1 respectively (see HT213635). Apple Watches on version 9 go to watchOS

Security researchers have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers. In January, Sonatype said it found 691 malicious npm packages and 49 malicious PyPI components containing crypto-miners, remote access Trojans (RATs) and more. The discoveries by the firm’s

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new Cybersecurity Advisory (CSA) on Thursday warning critical infrastructure sector entities against ongoing North Korean state-sponsored ransomware activity. Part of the #StopRansomware campaign, the new advisory is a result of a collaboration between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department

by Naked Security writer In October 2022, we asked you to imagine being stuck in the following awful situation: Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national

Reddit suffered a cyber-attack after its internal systems were breached on February 05 due to a “sophisticated” and “highly-targeted” phishing attack that led to employee credential compromise. “The attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens,”

by Paul Ducklin Popular social media site Reddit – “orange Usenet with ads”, as we’ve somewhat ungraciously heard it described – is the latest well-known web property to suffer a data breach in which its own source code was stolen. In recent weeks, LastPass and GitHub have confessed to similar experiences, with cyercriminals apparently breaking

The number of published industrial control system (ICS) vulnerabilities has grown by almost 70% in the past three years, with over a fifth still not patched by manufacturers, according to SynSaber. The security vendor analyzed advisories published by the US Cybersecurity and Infrastructure Security Agency (CISA) between January 1 2020 and December 31 2022 in

by Paul Ducklin CAN YOU GET HACKED AND THEN PROSECUTED FOR IT? Cryptocurrency crimelords. Security patches for VMware, OpenSSH and OpenSSL. Medical breacher busted. Is that a bug or a feature? Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin Intro

Three individuals including a married couple have been arrested in connection with a fraud scheme that may have cost several companies millions of dollars. Officers from the UK’s National Crime Agency (NCA) searched two properties in Loughborough and Lytham St Annes, arresting a man in his fifties and his wife, as well as a second

by Paul Ducklin Cybersecurity news, in Europe at least, is currently dominated by stories about “VMWare ESXi ransomware” that is doing the rounds, literally and (in a cryptographic sense at least) figuratively. CERT-FR, the French government’s computer emergency response team, kicked off what quickly turned into a mini-panic at the tail end of last week,

Recorded business email compromise (BEC) attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security. The security vendor analyzed data from its customers to help compile its H1 2023 threat report, Read Alert. It found the median

by Paul Ducklin OpenSSL, probably the best-known if not the most widely-used encryption library in the world, has just release a trifecta of security updates. These patches cover the two current open-source versions that the organisation supports for everyone, plus the “old” 1.0.2-version series, where updates are only available to customers who pay for premium

by Paul Ducklin DO WE REALLY NEED A NEW “WAR AGAINST CRYPTOGRAPHY”? We talk to renowned cybersecurity author Andy Greenberg about his tremendous new book, Tracers in the Dark. Hear Andy’s thoughtful commentary on cybercrime, law enforcement, anonymity, privacy, and whether we really need a “war against cryptography” – codes and ciphers that the government

A government-backed competition to encourage school-aged children to pursue a career in cybersecurity persuaded thousands across the UK to enter this year. Thirteen teams were named champions of their region at the 2023 CyberFirst Girls Competition finals last weekend, with more than 8700 entering the contest, according to the National Cyber Security Centre (NCSC). After

The developer of several stalkerware apps has been handed a fine of nearly half a million dollars and told to modify the software. A consortium of 16 companies owned by Patrick Hinchy produced snooping apps Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint and TurboSpy. These enabled customers to secretly monitor a comprehensive

Atlassian has released multiple patches to fix a critical security vulnerability in Jira Service Management Server and Data Center. The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other users and obtain unauthorized access to affected instances. “With write access to a User Directory and

Threat actors have been observed using malvertising attacks to distribute virtualized .NET malware loaders dubbed “MalVirt.” According to a Thursday advisory by SentinelOne, the new loaders leverage obfuscated virtualization techniques to avoid detection. “The loaders are implemented in .NET and use virtualization, based on the KoiVM virtualizing protector of .NET applications, in order to obfuscate

by Paul Ducklin The open source operating system distribution OpenBSD is well-known amongst sysadmins, especially those who manage servers, for its focus on security over speed, features and fancy front-ends. Fittingly, perhaps, its logo is a puffer fish – inflated, with its spikes ready to repel any wily hackers who might come along. But the

The UK’s data protection and privacy regulator will no longer fine public electronic communications service providers (CSPs) if they fail to report a data breach within 24 hours. The Information Commissioner’s Office (ICO) said that as long as CSPs – including mobile carriers and ISPs – report any incidents to it within 72 hours they

by Paul Ducklin WHY DID THAT TAKE SO LONG? Latest epidode – listen now. Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts,

by Paul Ducklin It’s been a newsworthy few weeks for password managers – those handy utilities that help you come up with a different password for every website you use, and then to keep track of them all. At the end of 2022, it was the turn of LastPass to be all over the news,

North Korean state-backed hackers and insecure decentralized finance (DeFi) protocols helped to make 2022 a record year for cryptocurrency heists, according to Chainalysis. The blockchain analysis company teased the figures ahead of an upcoming annual crypto crime report. A total of $3.8bn was stolen from cryptocurrency firms last year, 82% of which resulted from targeting

by Paul Ducklin Another day, another access-token-based database breach. This time, the victim (and in some ways, of course, also the culprit) is Microsoft’s GitHub business. GitHub claims that it spotted the breach quickly, the day after it happened, but by then the damage had been done: On December 6, 2022, repositories from our atom,

Security researchers have discovered underground cybercrime sites selling cheating services, leaked courses and fake certificates to help unscrupulous individuals gain security qualifications and/or a leg up in their careers.  Dov Lerner, head of threat research at Cybersixgill, said in a new report out today that his team found fake CompTIA CySA+ diplomas, among other security-related

Russian hacktivists appear to have been busy again after reports suggested several hospital websites across the US and the Netherlands were downed by distributed denial of service (DDoS) attacks. University of Michigan Hospital and Stanford Health Care Center were among the targeted facilities in the current campaign, which hit a handful of hospitals in the

by Paul Ducklin Samba, simply put, is a super-useful, mega-popular, open-source reimplementation of the networking protocols used in Microsoft Windows, and its historical importance in internetworking (connecting two different sorts of network together) cannot be underestimated. In the late 1990s, Microsoft networking shed its opaque, proprietary nature and became an open standard known as CIFS,

Security experts have warned of several new apps available on Google Play which purport to help the user develop healthy habits in return for rewards, but in reality just bombard them with irritating ads. Lucky Habit: health tracker, Lucky Step-Walking Tracker and WalkingJoy have garnered over 20 million downloads for what appears to be the same

An operation responding to a Black Basta ransomware compromise has revealed the use of a new PlugX malware variant that can automatically infect any attached removable USB media devices. Palo Alto Networks Unit 42 shared the findings with Infosecurity earlier today, adding that the new PlugX variant is “wormable” and can infect USB devices in

by Paul Ducklin BREACHES, PATCHES, LEAKS AND TWEAKS Latest epidode – listen now. Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify,