Security

0 Comments
Nearly nine in 10 (87%) of US defense contractors are failing to meet basic cybersecurity regulation requirements, according to research commissioned by CyberSheath. The survey of 300 US-based Department of Defense (DoD) contractors found that just 13% of respondents have a Supplier Risk Performance System (SPRS) score of 70 or above. Under the Defense Federal
0 Comments
The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw affecting Oracle Fusion Middleware systems to its Known Exploited Vulnerabilities (KEV) Catalog on Monday. The bug, which CISA confirmed has been exploited in the wild, allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks targeting this vulnerability
0 Comments
by Paul Ducklin Researchers at secure coding company Checkmarx have warned of porn-themed malware that’s been attracting and attacking sleazy internet users in droves. Unfortunately, the side-effects of this malware, dubbed Unfilter or Space Unfilter, apparently involve plundering data from the victim’s computer, including Discord passwords, thus indirectly exposing the victim’s contacts – such as
0 Comments
Google released new software patches on Thursday to address a new zero-day vulnerability in its Chrome web browser. Writing in a security bulletin, the tech giant described the high-severity vulnerability (tracked CVE-2022-4135) as a heap buffer overflow in the graphics processing unit (GPU) component. Google attributed the discovery of the vulnerability to Clement Lecigne from its
0 Comments
Remote monitoring and management (RMM) platform ConnectWise has patched a cross-site scripting (XSS) vulnerability that could lead to remote code execution (RCE). Security researchers at Guardio Labs wrote about the flaw earlier this week, saying threat actors could exploit it to take complete control of the ConnectWise platform. “After testing and validating several attack vectors,
0 Comments
A Vietnam-based hacking operation dubbed “Ducktail” is targeting individuals and companies operating on Facebook’s Ads and Business platform. Security researchers at WithSecure discovered the campaign earlier this year and described new developments in an advisory published earlier today. “We don’t see any signs of Ducktail slowing down soon, but rather see them evolve rapidly in
0 Comments
Google has announced a legal victory against two Russian nationals connected with the Glupteba botnet. In a blog post last Friday, the tech giant said the court’s ruling against the botnet operators set a crucial legal precedent and sends a warning to cyber-criminals and their accomplices. “Last December, Google’s Threat Analysis Group (TAG) shared the
0 Comments
A credential phishing attack reportedly targeted 22,000 students at national educational institutions with a campaign impersonating Instagram. The information comes from security experts at Armorblox, who highlighted the new threat in an advisory on November 17, 2022.  “The subject of this email encouraged victims to open the message,” reads the technical write-up. The goal of this
0 Comments
On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) published the final part of its three-section series on securing the software supply chain. The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and
0 Comments
by Paul Ducklin Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter
0 Comments
Swiss authorities have apprehended a Ukrainian national wanted by the Federal Bureau of Investigation (FBI) for 12 years for connections with a cyber-criminal group that stole millions of dollars from bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov was arrested in Geneva on October 23, 2022, and is now pending extradition to the US,
0 Comments
by Paul Ducklin DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it. Click-and-drag on the soundwaves below to skip to any point. You can also listen
0 Comments
Google has announced plans to roll out the initial Privacy Sandbox Beta to Android 13 mobile devices earlier next year. Initially unveiled in February, the project aims to bring new and more private advertising solutions to mobile. “Over the course of 2022, we’ve published design proposals and released a number of Developer Previews,” Android product
0 Comments
State-sponsored actors in the Billbug group (aka Lotus Blossom and Thrip) have tried to compromise a digital certificate authority in an Asian country during a campaign targeting multiple government agencies. Security researchers from Symantec have made the discovery and shared the findings in an advisory published earlier today. “In activity documented by Symantec in 2019,
0 Comments
Code hosting company GitHub has unveiled a new direct channel for security researchers to report vulnerabilities in public repositories. The feature needs to be manually enabled by repository maintainers and, once active, enables security researchers to report any vulnerabilities identified in their code. “Owners and administrators of public repositories can allow security researchers to report