Security

by Paul Ducklin The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation… …and even though the

China has fined global mobility technology platform Didi Global around $1.2bn (8.026 billion yuan) for violating the country’s network security law, data security law and personal information protection law. The Cyberspace Administration of China (CAC), the country’s cybersecurity regulator, also fined two Didi executives 1 million yuan each for the infringements. The announcement came a

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Unpatched flaws in popular GPS devices could allow attackers to disrupt and track vehicles, security researchers have warned. Security company BitSight described six ‘severe’ vulnerabilities in the MiCODUS MV720 GPS tracker, a popular device designed for vehicle fleet management and theft protection. The BitSight research came alongside a warning from the US Department of Homeland

by Paul Ducklin As the English translation of the Baroque-era German rendering of the Ancient Greek philosophical saying goes: Though the mills of God grind slowly, yet they grind exceeding small/Though with patience he stands waiting, with exactness grinds he all. Today, this saying is usually applied in respect of the judicial process, noting that

The Albanian government has been hit with a “massive cyber-attack,” forcing its websites offline. In a statement shared with local news outlets, the government blamed the incident on a synchronized “attack from abroad.” The press release continued: “In order to not allow this attack to damage our information system, the National Agency of Information Society

The UK government has set out proposals for a new AI rulebook to unleash innovation and boost public trust in the technology, according to a policy paper published today by the Department for Digital, Culture, Media and Sport. The report outlines the government’s approach to regulating the technology in the UK, with proposed rules addressing

by Paul Ducklin Remember Log4Shell? It was a dangerous bug in a popular open-source Java programming toolkit called Log4j, short for “Logging for Java”, published under a liberal, free source code licence, by the Apache Software Foundation. If you’ve ever written software of any sort, from the simplest BAT file on a Windows laptop to

North Korean threat actors are targeting small and mid-sized businesses with ransomware, according to Microsoft Security researchers. The group of actors, going by the name H0lyGh0st, have been developing and conducting cross-national malware attacks for over a year, performing successful attacks as early as September 2021.  As well as using a ransomware payload, the group – tracked

This week the US Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) first report into the December 2021 Log4j event, where a number of vulnerabilities were reported with this Java-based logging framework. The report’s methodology included a mixture of interviews and requests for information over a 90-day period, engaging with approximately 80 organizations and individuals

Data generated by OnePoll from April 28 to May 3 2022 on behalf of AT&T shows that the average person happens upon a suspicious online site or social media account 6.5 times a day. The recent survey of 2000 general population Americans also found that 54% of consumers said they were unaware of the difference between active and passive

by Paul Ducklin It’s prime vacation season in the Northern Hemipshere, and in some countries, July and August aren’t just months when some people take some days off, but a period of extended family holidays, often involving weeks away from home or on the road. The good news, of course, is that if you’ve had

The Virginia Commonwealth University Health System (VCU) has warned almost 4500 transplant participants about a privacy breach affecting their healthcare information. The company warned that some transplant recipients’ medical records contained their donor’s information, while recipient information also showed up in some donors’ records. It has been inappropriately exposing this information since 2006 in some

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Microsoft patched a zero-day bug in its latest Patch Tuesday update this week that allowed remote execution on Windows machines and which is already being exploited in the wild. CVE-2022-22047 is an elevation of privilege vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS), which is responsible for Windows features, including console windows and the shutdown process.

by Paul Ducklin Have you ever come really close to clicking a phishing link simply through coincidence? We’ve had a few surprises, such as when we bought a mobile phone from a click-and-collect store a couple of years back. Having lived outside the UK for many years before that, this was our first-ever purchase from

Cyber insurance companies are looking for new ways to assess risk as they grow increasingly wary of rising claims, said a report from cybersecurity company Panaseer released this week. The 2022 Cyber Insurance Market Trends Report found a lack of confidence in underwriting processes. Only 44% of insurers said they were very confident in evaluating cyber risk, with 46.5% warning

by Paul Ducklin Paying money to ransomware criminals is a contentious issue. After all, ransomware demands boil down to one thing, whether you know it in everyday language as extortion, blackmail or standover, namely: demanding money with menaces. Usually, the attackers leave all your precious files where they are, so you can see them sitting

The US Department of Justice (DOJ) announced last Friday that a Florida resident named Ron Aksoy has been arrested and charged for allegedly selling thousands of fraudulent and counterfeit Cisco products over the course of 12 years. Also known as Dave Durden, Aksoy, 38, would have run at least 19 companies formed in New Jersey

by Paul Ducklin Remember 1999? Well, the Melissa virus just called, and it’s finding life tough in 2022. It’s demanding a return to the freewheeling days of the last millennium, when Office macro viruses didn’t face the trials and tribulations that they do today. In the 1990s, you could insert VBA (Visual Basic for Applications)

Disneyland’s Facebook and Instagram accounts were taken over on Thursday by a self-proclaimed “super hacker” who posted a series of racist and homophobic posts. Operating under the name “David Do,” the threat actor claimed he was seeking “revenge” on Disneyland employees after some of them had allegedly insulted him. “I am a super hacker that

Cybersecurity solutions provider Emsisoft has released a free decryption tool to enable AstraLocker and Yashma ransomware victims to recover their files without paying a ransom. The company made the announcement in a series of Twitter posts earlier today, providing a download link and related instructions for the tool. “The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they

A fake LinkedIn job offer was the reason behind Axie Infinity’s $600m hack, according to a new investigation by The Block. The digital assets-focused outlet said on Wednesday that while the US government attributed the attack to the North Korean hacker group Lazarus, full details of how the exploit was executed had not been disclosed.  The Block said that according

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Paul Ducklin and Chester Wisniewski. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Apple has announced a new set of iPhone features called “Lockdown Mode.” Unveiled in a blog post on Wednesday, Lockdown Mode will land on iOS 16, iPadOS 16, and macOS Ventura devices in the fall of this year, and offer a number of security features. Apple called the mode an “extreme, optional level of security

by Paul Ducklin Remember the Log4Shell bug that showed up in Apache Log4j late in 2021? Log4j is one of the Apache Software Foundation’s many software projects (more than 350 at current count), and it’s a programming library that Java coders can use to manage logfiles in their own products. Logfiles are a vital part

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory suggesting North Korean state-sponsored cyber actors are using the Maui ransomware to target Healthcare and Public Health (HPH) Sector organizations in the US. According to the document – a joint effort between CISA, the Federal Bureau of Investigation (FBI) and the Department of

by Paul Ducklin Just over a week ago, the newswires were abuzz with news of a potentially serious bug in the widely-used cryptographic library OpenSSL. Some headlines went as far as describing the bug as a possibly “worse-than-Heartbleed flaw”, which was dramatic language indeed. Heartbleed, as you may remember, was an incredibly high-profile data leakage

The US Department of Commerce’s National Institute of Standards and Technology (NIST) has selected the first-ever group of encryption tools that could potentially withstand the attack of a quantum computer. The four selected encryption algorithms will now reportedly become part of NIST’s post-quantum cryptographic (PQC) standard, which should be finalized in about two years. More specifically, for

by Paul Ducklin Google’s latest update to the Chrome browser fixes a varying number of bugs, depending on whether you’re on Android, Windows or Mac, and depending on whether you’re running the “stable channel” or the “extended stable channel“. Don’t worry if you find the the plethora of Google blog posts confusing… …we did too,