Security

Artificial Intelligence (AI) tooling was the hot topic at this year’s RSA Conference, held in San Francisco. The potential of generative AI in cybersecurity tooling has sparked excitement among cybersecurity professionals. However, questions have been raised about the practical usage of AI in cybersecurity and the reliability of the data used to build AI models.

by Paul Ducklin 2FA, HACKING, AND PATCHING No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our

Professional sport faces unique cyber-threats and challenges, especially sounding the tie-in cyber has with physical security. These distinctive challenges have led to close collaboration between top organizations in this sector. This is according to CISOs from three of the US’ largest sports – Steve Grossman from the National Basketball Association, Tomás Maldonado at the National

by Paul Ducklin The Google Authenticator 2FA app has featured strongly in cybersecurity news stories lately, with Google adding a feature to let you backup your 2FA data into the cloud and then restore it onto other devices. To explain, a 2FA (two-factor authentication) app is one of those programs that you run on your

The current democratic system is not for purpose in the 21st Century and requires a radical revamp using modern technologies. This was the key message Bruce Schneier, security technologist, researcher, and lecturer at Harvard Kennedy School, highlighted during his keynote address on day two of the RSA 2023 Conference. Schneier said that democratic systems should

by Paul Ducklin We’ll be honest, and admit that we hadn’t heard of the printer management software PaperCut until this week. In fact, the first time we heard the name was in the context of cybercriminality and malware attacks, and we naively assumed that “PaperCut” was what we like to call a BWAIN. A BWAIN

To ensure that digital systems and products have security built in by design, the US federal government and cybersecurity professionals have been calling for greater investment in skills and training in cybersecurity throughout the tech sector. Despite CISA Director Jen Easterly recently calling for universities to include security as a standard element in computer science

by Paul Ducklin If you’re a Google Chrome or Microsoft Edge browser fan, you’re probably getting updates automatically and you’re probably up to date already. However… …just in case you’ve missed any updates recently, we suggest you go and check right now, because the Chromium browser core, on which both Edge and Chrome are based,

Popular software tools such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace have been trojanized to distribute the malware known as Bumblebee. Secureworks’ Counter Threat Unit (CTU) analyzed the findings in a report published on Thursday, saying the infection chain for several of these attacks relied on a malicious Google Ad that sent users to

The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines. The claims come from Fortinet security researchers and were described in an advisory published on Thursday. “[We] observed this malware in a phishing email campaign [disguised as account

An employee from the US Consumer Financial Protection Bureau (CFPB) has reportedly forwarded confidential records of roughly 256,000 consumers and confidential supervisory information of approximately 50 institutions to a personal email account. Congressman Bill Huizenga addressed the claims in a letter to CFPB director, Rohit Chopra, dated April 18. “At the time of your notification,

by Paul Ducklin Logging software has made cyberinsecurity headlines many times before, notably in the case of the Apache Log4J bug known as Log4Shell that ruined Christmas for many sysadmins at the end of 2021. The Log4Shell hole was a security flaw in the logging process itself, and boiled down to the fact that many

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible. According to security researchers at Mandiant, the initial compromise was traced back to malware from financial software firm Trading Technologies’ website. The first attack saw hackers place a backdoor into

by Paul Ducklin LOOPING THE LOOP No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS

A threat actor associated with Iranian nation-state hackers has been weaponizing N-day vulnerabilities, as well as deploying new techniques to access environments of interest. The threat actor is a sub-group of Mint Sandstorm – a gang also known as Phosphorus and associated with APT35, APT42, Charming Kitten and TA453 – reported an advisory published by Microsoft on

Security researchers have discovered a new malicious software library capable of collecting lists of installed applications, a history of Wi-Fi and Bluetooth device information as well as nearby GPS location data. Dubbed Goldoson by McAfee’s Mobile Research Team, the library can also load web pages without user awareness and perform advertisement fraud by clicking on

by Paul Ducklin We’ve said this before, but we’ll repeat it again here: Imagine that you’d spoken in what you thought was total confidence to a psychotherapist, but the contents of your sessions had been saved for posterity, along with precise personal identification details such as your unique national ID number, and perhaps including additional

The state of Montana in the US has become the first to pass legislation banning TikTok on personal devices. The bill, SB 419, passed by a vote of 54 to 43, mentions several concerns about TikTok, such as alleged surveillance from the Chinese government as well as the encouragement of “dangerous activities” among youth using the app.

by Paul Ducklin If you’d never heard the cybersecurity jargon word “juicejacking” until the last few days (or, indeed, if you’d never heard it at all until you opened this article), don’t get into a panic about it. You’re not out of touch. Here at Naked Security, we knew what it meant, not so much

Automotive manufacturer Hyundai has recently disclosed a breach that has affected an unspecified number of Italian and French car owners as well as individuals who booked a test drive. The company notified affected individuals via email. Several of them posted a screenshot of the message on Twitter earlier this week. “I am sorry to inform

The “Read The Manual” (RTM) Locker group has been observed targeting corporate environments with ransomware and forcing their affiliates to follow a strict set of rules. According to an advisory published on Thursday by Trellix cybersecurity experts, the businesslike approach of the group (also observed in other threat actors, such as Conti) shows its organizational maturity.

Several cybersecurity organizations worldwide have jointly published a new series of guidelines to aid manufacturers in prioritizing cybersecurity practices while designing products. The paper was developed by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the UK,

The Iowa Department of Health and Human Services (HHS) in the US confirmed on Tuesday that the personal data of 20,800 Iowans who receive Medicaid was exposed due to a cyber-attack. According to the department, the Iowa Medicaid system itself was not compromised. Instead, the breach was due to an attack on a contractor’s computer systems

by Paul Ducklin I’M SORRY, DAVE, I’M AFRAID… SORRY, MY MISTAKE, I CAN DO THAT EASILY No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts

The US Cybersecurity and Infrastructure Security Agency (CISA) published the second version of its Zero Trust Maturity Model on Tuesday, which incorporates recommendations from a public comment period. The updated guidelines aim to further the federal government’s progress toward a zero trust approach to cybersecurity in support of the new National Cybersecurity Strategy. Read more

by Paul Ducklin It’s Patch Tuesday Week (if you will allow us our daily pleonasm), and Microsoft’s updates include fixes for a number of security holes that the company has dubbed Critical, along with a zero-day fix, although the 0-day only gets a rating of Important. The 0-day probably got away with not being Critical

Malicious Android apps have been found for sale on the darknet and are being sold for up to $20,000, according to security researchers at Kaspersky. The company described the findings in an article published on Monday, in which it said the team collected examples from nine different darknet forums where these apps are being sold. “Like

by Paul Ducklin If you’re a gamer or an avid squeezer of raw computing power, you’ve probably spent hours tweaking your motherboard settings to eke out every last drop of performance. Over the years, you might even have tried out various unofficial firmware bodges and hacks to let you change settings that would otherwise be

Spanish police have arrested a 19-year-old who they claim represents a national security threat due to the magnitude of the cyber-attacks he has conducted. An investigation into Jose Luis Huertas (aka “Alcasec”) began after he allegedly hacked the national council of the judiciary (CGPJ) and tax agency, and stole data on over half a million Spaniards.

by Paul Ducklin Last week, we warned about the appearance of two critical zero-day bugs that were patched in the very latest versions of macOS (version 13, also known as Ventura), iOS (version 16), and iPadOS (version 16). Zero-days, as the name suggests, are security vulnerabilities that were found by attackers, and put to real-life