Security

by Paul Ducklin VMware Spring is a open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the “server” part of the process yourself. If you’ve heard the term serveless computing, then this is the sort of programming environment it refers to: the overall

The United States House of Representatives has passed a bill that would change how cybercrime is tracked, measured and reported by the federal government. The Better Cybercrime Metrics Act (S.2629), authored by US senator Brian Schatz, was approved by the House in a bipartisan 377-48 vote on Tuesday. Once signed into law, the bill will encourage local and federal

by Paul Ducklin Yesterday, we wrote about a bug in the VMware Spring product, a project we described as “an open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the ‘server’ part of the process yourself.” But Spring is a huge project, with

The head of GCHQ, Jeremy Fleming, has praised a new government unit tasked with countering Kremlin disinformation campaigns. Speaking at the Australian National University in Canberra yesterday, Fleming argued that President  Putin had massively miscalculated in his invasion of Ukraine. Russian soldiers are now “refusing to carry out orders, sabotaging their own equipment and even

by Paul Ducklin Apple has just sent out two security advisories covering two zero-day security holes, namely: Apple Bulletin HT213219: Kernel code execution bug CVE-2022-22675. This security fix is for iOS and iPadOS, both of which get updated to version 15.4.1. Apple Bulletin HT213220: Kernel code execution bug CVE-2022-22675 and kernel data leakage bug CVE-2022-22674.

Security researchers are warning of a new critical remote code execution bug in a popular Java developer framework, although reports that it could be the next Log4Shell may be overblown. Dubbed “SpringShell” by some in the community, the vulnerability affects the spring-core artifact, a popular framework used extensively in Java applications, specifically with JDK9 or

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Around a third (31%) of businesses experience cyber-attacks or breaches at least once a week, according to new figures published in the UK government’s Cyber Security Breaches Survey 2022 report. Over a quarter (26%) of charities also reported being hit by attacks at least once a week, and the government is urging all organizations to strengthen their

by Paul Ducklin You’ve probably heard of Zlib, but even if you haven’t, you’ve almost certainly used it. Zlib’s unashamedly 1990s-style website describes the product as A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents). Data compression software (and, of course, the matching code to decompress it later)

by Paul Ducklin Last time we reported on a Chrome zero-day flaw was back in February 2022. Back then, Google noted that the Chrome browser – and, by implication, all other browsers based on the Chromium-project code and its underlying Blink rendering engine – had been patched against a range of memory mismanagement bugs that

Ukraine’s national telecommunications provider has been hit by a significant cyber-attack, leading to the “most severe” disruption to internet connectivity in the region since the start of the conflict with Russia. Ukrtelecom, the country’s biggest provider of fixed internet in terms of geographic coverage, confirmed the incident yesterday and said it is gradually restoring connectivity

An Estonian man has been sentenced to over five years behind bars for his role in a wide-ranging online fraud and ransomware campaign. Maksim Berezan, 37, was arrested in Latvia and extradited to the US, where he pleaded guilty in April 2021 to conspiracy to commit wire fraud affecting a financial institution and conspiracy to

A patrolman at a Sheriff’s Office in Florida has been arrested on suspicion of sending sexually explicit images to a 16-year-old high school student. Clay County resident Alejandro Carmona-Fonseca had worked for the Jacksonville Sheriff’s Office for 15 years before his arrest on March 15. During that time, he was the subject of 28 complaints from his

A United States Senate committee has questioned whether a new data label created to protect sensitive information is being abused by the Pentagon to prevent the disclosure of important information to the public. The Senate Armed Services Committee, which authorizes defense spending, asked William LaPlante to review the increasing use of the freshly concocted Controlled Unclassified Information (CUI) label

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A London nightclub owner has been forced to surrender hundreds of thousands of pounds worth of equipment seized by police after being linked to a notorious cybercrime money laundering group. The QQAAZZ group provided money-laundering services to many organized cybercrime groups over the years. According to the National Crime Agency (NCA), the transnational gang was managed from

by Naked Security writer You’ve almost certainly heard of the LAPSUS$ hacking crew. That’s lapsus, which is as good a Latin word as any for “data breach”, followed by a dollar sign, like a text variable in BASIC. Microsoft refers to this cybergang by the more pedestrian moniker of “the DEV-5037 actor”, and noted, in

Nearly two-thirds (62%) of cybersecurity teams are understaffed, and 63% have unfilled vacancies. This is according to ISACA’s State of Cybersecurity 2022 report, which highlighted organizations’ ongoing struggles to hire and retain skilled cybersecurity professionals. This year’s survey included insights from over 2000 cybersecurity professionals worldwide. A fifth of respondents admitted it takes more than six months

by Paul Ducklin In January 2021, reports surfaced of a backup-busting ransomware strain called Deadbolt, apparently aimed at small businesses, hobbyists and serious home users. As far as we can see, Deadbolt deliberately chose a deadly niche in which to operate: users who needed backups and were well-informed enough to make them, but who didn’t

Network defenders have just 43 minutes to mitigate ransomware attacks once encryption has begun, a new study from Splunk has warned. The security monitoring and data analytics vendor evaluated the speed at which 10 ransomware variants encrypt data to compile its report, An Empirically Comparative Analysis of Ransomware Binaries. Using a controlled Splunk Attack Range lab

The current cyber dimension of the Russia-Ukraine conflict and how it may escalate were discussed by Ciaran Martin, founding CEO of the UK’s National Cyber Security Centre (NCSC), during the keynote address at the Infosecurity Magazine Online Summit – EMEA 2022. Martin began by noting that so far, “the cyber dimension has been quieter than many of us might have

by Paul Ducklin CafePress is a web service that lets artists, shops, businesses, fan clubs – anyone who signs up, in fact – turn designs, corporate slogans, logos and the like into fun merchandise they can give away or sell on to others. The days when you had to put in an order for several hundred coffee

Several US authorities have released a new alert warning of the threat to critical infrastructure (CNI) providers from the AvosLocker ransomware group. The ransomware-as-a-service affiliate operation is targeting financial services, manufacturing and government entities, as well as organizations in other sectors, the report revealed. Victims reportedly hail from all over the globe, including the US,

by Paul Ducklin Ever wanted or needed to buy or sell cryptocoins on a whim, without going online? Ever felt like cashing in 100,000 Satoshis or so at 3am to treat your party buddies to a kebab-fest on the way home from a big night out? Well, if you live in the UK, you can’t

Uganda has arrested an author and activist and a TV journalist for allegedly cyber stalking the country’s President, Yoweri Museveni. Author Norman Tumuhimbise and his colleague Farida Bikobere were reportedly bundled into a van by armed security personnel last week. The pair’s lawyer, Eron Kiiza, confirmed their arrest on Thursday to the news agency Agence France-Presse (AFP).

by Paul Ducklin The latest raft of non-emergency Apple security updates are out, patching a total of 87 different CVE-rated software bugs across all Apple products and plaforms. There are 10 security bulletins for this bunch of updates, as follows: APPLE-SA-2022-03-14-1: iOS 15.4 and iPadOS 15.4 (HT213182) APPLE-SA-2022-03-14-2: watchOS 8.5 (HT213193) APPLE-SA-2022-03-14-3: tvOS 15.4 (HT213186)

A spear-phishing study by security company Barracuda has found that a third of malicious logins into compromised accounts in 2021 came from Nigeria. The finding was included in the Spear Phishing: Top Threats and Trends Vol. 7 – Key findings on the latest social engineering tactics and the growing complexity of attacks  report, released by the company on Wednesday. The

by Paul Ducklin OpenSSL published a security update this week. The new versions are 3.0.2 and 1.1.1n, corresponding to the two currently-supported flavours of OpenSSL (3.0 and 1.1.1). The patch includes a few general fixes, such as error reporting that’s been tidied up, along with an update for CVE-2022-0778, found by well-known bug eliminator Tavis

The UK’s National Cyber Security Centre (NCSC) has launched a significant public awareness campaign to encourage stronger security practices for emails and other digital accounts. The campaign offers actionable cybersecurity guidance to the public, in line with the UK government’s Cyber Aware advice. The first of these recommends using passwords containing three random words, ensuring they are unique, strong

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Paul Ducklin and Chester Wisniewski. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.