Security

by Paul Ducklin Ever wanted or needed to buy or sell cryptocoins on a whim, without going online? Ever felt like cashing in 100,000 Satoshis or so at 3am to treat your party buddies to a kebab-fest on the way home from a big night out? Well, if you live in the UK, you can’t

Uganda has arrested an author and activist and a TV journalist for allegedly cyber stalking the country’s President, Yoweri Museveni. Author Norman Tumuhimbise and his colleague Farida Bikobere were reportedly bundled into a van by armed security personnel last week. The pair’s lawyer, Eron Kiiza, confirmed their arrest on Thursday to the news agency Agence France-Presse (AFP).

by Paul Ducklin The latest raft of non-emergency Apple security updates are out, patching a total of 87 different CVE-rated software bugs across all Apple products and plaforms. There are 10 security bulletins for this bunch of updates, as follows: APPLE-SA-2022-03-14-1: iOS 15.4 and iPadOS 15.4 (HT213182) APPLE-SA-2022-03-14-2: watchOS 8.5 (HT213193) APPLE-SA-2022-03-14-3: tvOS 15.4 (HT213186)

A spear-phishing study by security company Barracuda has found that a third of malicious logins into compromised accounts in 2021 came from Nigeria. The finding was included in the Spear Phishing: Top Threats and Trends Vol. 7 – Key findings on the latest social engineering tactics and the growing complexity of attacks  report, released by the company on Wednesday. The

by Paul Ducklin OpenSSL published a security update this week. The new versions are 3.0.2 and 1.1.1n, corresponding to the two currently-supported flavours of OpenSSL (3.0 and 1.1.1). The patch includes a few general fixes, such as error reporting that’s been tidied up, along with an update for CVE-2022-0778, found by well-known bug eliminator Tavis

The UK’s National Cyber Security Centre (NCSC) has launched a significant public awareness campaign to encourage stronger security practices for emails and other digital accounts. The campaign offers actionable cybersecurity guidance to the public, in line with the UK government’s Cyber Aware advice. The first of these recommends using passwords containing three random words, ensuring they are unique, strong

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Paul Ducklin and Chester Wisniewski. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

The UK’s landmark Online Safety Bill has been introduced to Parliament today. The legislation was drafted in May last year and contained measures to tackle a range of digital harms, including child sexual abuse, terrorist material, fraud and online abuse. New obligations will be placed on social media firms and other services hosting user-generated content to prevent

by Paul Ducklin Last year, we wrote about a research paper from SophosLabs that investigated malware known as CryptoRom, an intriguing, albeit disheartening, nexus in the cybercrime underworld. This “confluence of criminality” saw cybercrooks adopting the same techniques as romance scammers to peddle fake cryptocurrency apps instead of false love, and fleece victims out of

Mobile applications with tens of millions of downloads are leaking sensitive user data due to the misconfiguration of back-end cloud databases, according to Check Point. The security vendor’s three-month study began with a simple query on VirusTotal for mobile apps listed on the malware scanning service that communicates with the Firebase cloud database. Throughout the study,

by Paul Ducklin The US Cybersecurity and Infrastructure Security Agency (CISA) has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. To sidestep rumours based on the title alone (which some readers might interpret as an attack

More than two million mobile malware samples were detected in the wild last year, with threats impacting over 10 million devices globally, according to new data from Zimperium. The mobile security vendor compiled its 2022 Global Mobile Threat Report based on insight collected from its security research team and a survey of global tech leaders. It claimed

by Paul Ducklin As almost everyone who doesn’t live in North America knows… …American dates are weird! Those of us who care about these things use YYYY-MM-DD, because writing 2022-03-14 is undoubtedly the easiest way of avoiding ambiguity in dates, givem that the four-digit part is obviously the year, and everyone who writes the year

Strong customer authentication (SCA) rules for e-commerce have come into force in the UK today following delays due to the COVID-19 pandemic. The new measures mean UK shoppers will have to provide a combination of two forms of identification at checkout when making an online purchase. These will be two of the following forms of verification: knowledge

French bank BNP Paribas has reportedly blocked its Russian-based employees from accessing its internal computer systems. According to a Reuters source, the bank rescinded the access privileges of its Russian workforce over fears that connections to the local network could leave BNP Paribas vulnerable to cyber-attacks by Russian threat actors.  The restriction is reportedly part of the French lender’s

Czech-based multinational cybersecurity software company Avast has suspended the sale and marketing of its products in Russia and Belarus.  In a statement shared Thursday, Avast said it was ceasing business in Russia and offering its premium products free of charge to the people of Ukraine. “With immediate effect, we have withdrawn the availability of all of our products

by Naked Security writer In cybersecurity history, the US Independence Day weekend of 2021 is not remembered for the restful and relaxing summer celebrations that you’d usually associate with the Fourth of July. Instead, it’s remembered as the weekend of the infamous Kaseya ransomware attack. This was ransomware-with-a-difference, and the difference was the ultimate scale

Advances in cybersecurity must focus on increasing trust in digital technologies, according to Professor Adam Joinson, director of DiscribeHub+ and Professor of Information Systems at the University of Bath. This message was delivered during a talk about the socioeconomic impact of security on trust at the final leg of Digital Security by Design (DSbD) Roadshow in Northern Ireland, UK,

by Paul Ducklin LISTEN NOW What do ransomware blackmailers ask for when they don’t want money? Why did Firefox get two updates in three days? How did Adafruit get hoist by the petard of “shadow IT”? And what’s with those dirty Linux pipes? Click-and-drag on the soundwaves below to skip to any point. You can

Microsoft has released fixes for a relatively small number of CVEs this month, with only three critical bugs and three publicly disclosed flaws in the Patch Tuesday roundup. None of the three zero days have been exploited in the wild. They include CVE-2022-24512, a remote code execution (RCE) vulnerability in .NET and Visual Studio. “According to Microsoft,

Security researchers have revealed a major new campaign by Chinese state hackers in which they exploited Log4Shell and other bugs to compromise at least six US state government networks. Mandiant claimed the activity between May 2021 and February 2022 indicated a deliberate campaign. However, it could not say definitively whether the prolific group known as

Over 100 current and former employees of a leading luxury car dealership are starting legal proceedings against the company after being left in the dark following a major data breach. Law firm Hayes Connor said today that the individuals had failed to get answers from LSH Auto after being contacted over six months ago to say a

The UK could be heading for a “cyber disaster” if it continues with its current approach to cybersecurity. This was the message of Professor John Goodacre, challenge director – Digital Security by Design, UKRI, and Professor of Computer Architectures, The University of Manchester, speaking during the latest leg of the DSbD roadshow, in Newport, Wales,

Social media sites and search engines will be forced to prevent fraudulent adverts from appearing on their platforms under new proposals published by the UK government. The new legal duty will require the most popular social media platforms to stop paid-for fraudulent adverts from appearing on their services. This measure is designed to protect internet

Ciaran Martin will present the headline keynote on day one Infosecurity is excited to announce two leading industry figures headlining the upcoming Infosecurity Magazine Spring Online Summit, taking place on March 22 and 23 2022. Day one (EMEA) of the event will see a headline keynote from the National Cyber Security Centre (NCSC)’s founding CEO Ciaran Martin, currently Professor

A Romanian man has been extradited to the United States to face charges relating to the sale of stolen financial data on the dark web.  Sorin Becheru is suspected of conspiring with others to sell stolen credit card numbers obtained using malware.  Romanian authorities arrested the 34-year-old resident of Bucharest on January 1 2022 at the request

Pro-Ukraine hackers have compromised a large number of Russian cloud databases, deleting data, renaming files and potentially exfiltrating information for future attacks, researchers have confirmed. Jeremiah Fowler and a team at Website Planet decided to look at the campaign to “hack back” at Russian entities following the invasion of Ukraine. The Anonymous hacking collective announced

Most consumers prefer to bank digitally rather than in person but are worried about the risk of fraud, according to new research by payments and data security company, Entrust. A survey of 1350 consumers who made or received digital payments in the past 12 months found that 88% of respondents prefer to do their banking online in some

A lengthy investigation into the online trade of child sexual abuse material (CSAM) has led to the arrest of dozens of individuals based in New Zealand. Led by New Zealand’s Te Tari Taiwhenua Department of Internal Affairs (DIA), the two-year international operation identified more than 90,000 online accounts that possessed or traded CSAM.  DIA’s Digital

by Paul Ducklin When the Apple AirTag hit the market in 2021, it immediately attracted the attention of hackers and reverse engineers. Could AirTags be jailbroken? Could AirTags be simulated? Could the AirTag ecosystem be used for purposes beyond Apple’s own imagination (or at least beyond its intentions)? We soon found ourselves writing up the