Security

The developer of a popular WordPress plugin has updated its product to fix a critical vulnerability that could be exploited to change the appearance of websites. Elementor is marketed as a leading website building platform for WordPress, enabling over five million users to easily create websites for themselves or their business without writing any code. However,

Microsoft has revealed how a coordinated operation helped disrupt a notorious Trojan used widely around the world to facilitate ransomware and other attacks. ZLoader was spawned from the infamous Zeus banking Trojan, but like similar malware TrickBot and Emotet, it underwent significant development over the years, adding new functionality. As such, it soon evolved from

by Paul Ducklin For the third time this year, Google’s Chrome browser has quietly received a security update together with the dreaded words, “Google is aware that an exploit […] exists in the wild.” In this case, the bug is officially dubbed CVE-2022-1364: Type Confusion in V8. V8 is Google’s JavaScript engine – the same

The MetroHealth System in Cleaveland, Ohio, recently disclosed a data breach involving 1700 of its patients. In a recent statement, MetroHealth announced that on November 13, while the health system’s electronic medical records systems were being upgraded, 1700 patient records were unintentionally disclosed. The breach involved patient names, care provider names and appointment details. MetroHealth claimed

by Naked Security writer The cryptocurrency world is full of weird stories. You’ve probably heard of the Welshman who who claimed he inadvertently threw away a hard disk containing bitcoinage worth $500 million, and went to his local council for permission to dig up the landfill site where he assumed it would have been dumped,

The number of publicly reported data breaches in the US increased by double digits year-on-year in the first three months of 2022, according to the Identity Theft Resource Center (ITRC). The non-profit claimed that the increase represents the third successive year in which Q1 figures have exceeded those recorded 12 months previously. The vast majority

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A noted Ethereum developer has been sentenced to more than five years behind bars after pleading guilty to helping North Korea evade sanctions. Virgil Griffith, 39, initially pleaded not guilty back in January 2020, following his arrest at Los Angeles International Airport in November 2019. However, he changed that plea last year. He conspired to provide

by Paul Ducklin Researchers at healthcare cybersecurity company Cynerio just published a report about five cybersecurity holes they found in a hospital robot system called TUG. TUGs are pretty much robot cabinets or platforms on wheels, apparently capable of carrying up to 600kg and rolling along at just under 3km/hr (a slow walk). They’re apparently

One of the world’s most notorious hacking marketplaces, RaidForums, has been shut down and its infrastructure seized in a major cross-border law enforcement operation. Operation TOURNIQUET, which was coordinated by Europol in support of the independent investigations of the US, UK, Sweden, Portugal and Romania, also led to the arrest of the RaidForums’ administrator and two of

by Paul Ducklin Three years ago, we published an article with the dramatic-sounding title Serious Security: Post-Quantum Cryptography (and why we’re getting it). As you probaby know, so-called quantum computers work in a rather mysterious way compared to conventional computers, inasmuch as they can perform certain sorts of calculation so that they effectively “compute” all

Scammers who tricked victims into handing them control of their PCs managed to steal nearly £58m last year, according to official UK police figures. Some 20,144 individuals fell victim to such “remote access tool” (RAT) scams in 2021, according to Action Fraud, the country’s national reporting centre for fraud and cybercrime. Losing on average around £2800 per

The multifaceted nature of modern supply chain risks was highlighted by Jon France, CISO for (ISC)², during (ISC)² Secure London this week. France, who was appointed the first-ever CISO of (ISC)² earlier this year, emphasized that rapid digitization across all industries had significantly widened organizations’ threat landscape during COVID-19. “Speed can sometimes be the enemy of risk,” he noted,

by Paul Ducklin The good news in this month’s Android patches is that even though Google’s own updates close off numerous elevation of privilege (EoP) holes, there aren’t any remote code execution bugs on the list. The bad news, of course, is that EoP bugs that directly lead to root access, without any tell-tale signs,

The Information Commissioner’s Office (ICO) is currently investigating a cyber-attack across TrustFord branches throughout the UK. The vehicle dealer group revealed the attack, which is believed to have been committed by the Conti ransomware gang, affected the firm’s internal systems. In particular, access to the internet and phones within the business was affected. However, TrustFord assured

by Paul Ducklin If you’ve ever written technical documentation to use online, you probably started out by creating it directly in HTML (hypertext markup language), so you could drop it directly into your website. You may have used various HTML editors that gave you a real-time but not entirely precise preview, but you’ll have spent

The websites of Finland’s defense and foreign affairs were taken offline today following DDoS attacks. The ministries each confirmed the attacks on Twitter earlier today, although the websites now appear to be back up and running. The nation’s Ministry of Defense wrote at 10.45 am GMT: “The Department of Defense website http://defmin.fi is currently under attack. We

by Paul Ducklin German police have located and closed down the servers of Hydra, allegedly one of the world’s biggest underground online stores. Investigators at the Bundeskriminalamt (BKA – the Federal Criminal Police Office) claim that the Russian-language Hydra darkweb site, accessible via the Tor network, had about 17 million customer accounts (many individual buyers

At the (ISC)2 Secure London Event today, Laurie-Anne Bourdain, data protection officer at Belgium fintech company Isabel Group, delivered a session on planning and delivering a successful cybersecurity awareness program. Bourdain advised that creating a roadmap is an essential first step in developing a good awareness program. The roadmap requires an understanding of your organization’s

by Paul Ducklin LISTEN NOW [01’34”] LAPSUS$ hacking, 2022-style. [06’11”] Zero-day emergency updates from Apple. [08’46”] Elevation of privilege patches in Android. [09’41”] Bugs fixed in Firefox 99. [11’00”] The SATAN network scanner and its impact on threat reponse. [14’02”] Two confusing bugs in VMware Spring. [20’17”] Old-school hacking, PDP-11 style. Click-and-drag on the soundwaves

Security researchers have observed tens of thousands of attempts to exploit the critical new SpringShell (Spring4Shell) vulnerability within days of its publication. Check Point Research claimed to have spotted 37,000 such attempts within the first four days, which it extrapolated to calculate that around 16% of global organizations were affected. Europe accounted for the largest number of incidents

by Paul Ducklin The once-every-four-weeks security update to Mozilla’s Firefox browser officially arrived today. The regular version of Firefox is now 99.0, while the Extended Support Release, which gets security fixes without any feature updates, is now 91.8.0 ESR. Add together the first two numbers in the ESR release triplet and you should get the

A leading UK high street retailer has been forced to close several stores and part suspend its operations after a cyber-attack, according to reports. The Works, which sells cut-price arts and crafts supplies, reportedly said it had disabled access to computer systems, including email, as a precaution while it investigates. “There has been some limited

by Paul Ducklin The infamous LAPSUS$ gang, whose curious brand of cyberextortion has been linked with intrusions at Microsoft, Samsung, Okta, Nvidia and others, still seems to be on the boil. According to Microsoft’s own analysis of the gang’s intrusion at Microsoft itself, these hackers use a range of social engineering techniques that go beyond

Customers of a popular cryptocurrency hardware provider have been urged not to reply to any official-looking emails after a convincing phishing campaign was uncovered. Trezor makes hardware devices that customers can use to store their digital currency – a more secure alternative to the online equivalent. However, over the weekend, several of them complained to the

by Paul Ducklin Tomorrow is 31 March 2022, and the last day of March is World Backup Day… …which is a good time for us to remind you of a little saying that we like. You’ll have heard it before if you listen to the Naked Security Podcast; if so, here it is again, because

An employee of the United States National Security Agency (NSA) has been accused of sending national defense secrets from his personal email account.  A 26-count indictment unsealed Thursday in the District of Maryland alleges that 60-year-old Mark Robert Unkenholz willfully transmitted classified National Defense Information (NDI) on 13 occasions between February 14 2018 and June 1 2020.

by Paul Ducklin VMware Spring is a open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the “server” part of the process yourself. If you’ve heard the term serveless computing, then this is the sort of programming environment it refers to: the overall

The United States House of Representatives has passed a bill that would change how cybercrime is tracked, measured and reported by the federal government. The Better Cybercrime Metrics Act (S.2629), authored by US senator Brian Schatz, was approved by the House in a bipartisan 377-48 vote on Tuesday. Once signed into law, the bill will encourage local and federal

by Paul Ducklin Yesterday, we wrote about a bug in the VMware Spring product, a project we described as “an open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the ‘server’ part of the process yourself.” But Spring is a huge project, with