Security

by Paul Ducklin WordPress plugins need to be kept up-to-date just as keenly as WordPress itself… …especially if those plugins are designed to help you look after the entirety of your WordPress site data. That’s why we thought we’d write about a recent warning from the creators of Updraft and Updraft Plus, which are free

by Paul Ducklin Just over a year ago, graphics card behemoth Nvidia announced an unexpected software “feature”: anti-cryptomining code baked into the drivers for its latest graphics processing units (GPUs). Simply put, if the driver software thinks you’re using the GPU to perform calculations related to Ethereum cryptocurrency calculations, it cuts the execution speed of

by Paul Ducklin We monitor a range of email addresses related to Naked Security, so we receieve a regular (a word we are using here to mean “unrelenting”) supply of real-world spams and scams. Some of our email addresses are obviously directly associated with various Sophos-related social media accounts; others are more general business-oriented addresses;

by Paul Ducklin If you use Mozilla Firefox or any Chromium-based browser, notably Google Chrome or Microsoft Edge, you’ll know that the version numbers of these products are currently at 97 and 98 respectively. And if you’ve ever looked at your browser’s User-Agent string, you’ll know that these version numbers are, by default, transmitted to

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

by Paul Ducklin Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical. Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first: We have had reports of attacks

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

by Paul Ducklin Max Kellermann, a coder and security researcher for German content management software creators CM4all, has just published a fascinating report about a Linux kernel bug that was patched recently. He called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and

by Paul Ducklin Popular open-source computer hardware company Adafruit Industries accidentally exposed customer data… …via the GitHub account of a former employee. As you’ve probably figured out already, Adafruit is named after after Ada Lovelace, a nineteenth-century British intellectual who was a computer programmer long before any programmable computers existed. As mysterious as that might

Renowned documentarist Louis Theroux described the growing societal dangers posed by social media use during the keynote interview at the Digital Transformation EXPO Europe 2021. The session came ahead of the release of Theroux’s new three-part documentary series, exploring how tech is increasingly coalescing with human psychology. In one prominent example of this, he noted that

by Paul Ducklin Back in June this year, we wrote about a ransomware-related bust in Ukraine, featuring a police video in which a high-security door was dismantled with a BFG (Big Fat Grinder), substantial piles of cash were counted out and packed into evidence bags, and numerous fancy cars were seized. Well, here’s another bust

The offshore assets of 35 current and former world leaders have been exposed in an unprecedented leak of financial records dubbed the Pandora Papers.  The cache of 11.9 million confidential files was leaked to the International Consortium of Investigative Journalists (ICIJ) in Washington, DC. Containing 2.94 terabytes of data, the Papers represent the largest trove of

by Paul Ducklin As you probably know (or, at least, as you know now!), October is Cybersecurity Awareness Month, which means it’s a great opportunity to do three things: Stop. Think. Connect. Those three words were chosen many years ago by the US public service as a short and simple motto for cybersecurity awareness. 5

The United States Coast Guard has launched a new program that gives cyber professionals the chance to become Coast Guard Cyber Officers.  With the launch of the Direct Commission Cyber Officer (DCCO) program, the maritime security branch of the United States military is hoping to attract top cyber talent to work in cyberspace operations, information assurance, cyber

A Kittitian soccer player has made a charitable donation of the compensation he received after being racially abused on social media.  Midfielder Romaine Sawyers, who is currently on loan at Stoke City Football Club from his parent club, West Bromwich Albion, was victimized by 50-year-old cyber-bully Simon Silwood of Kingswinford, West Midlands. Silwood was arrested

A tragic case making its way through the courts in the US could prove to be the first recorded death due to ransomware. According to papers filed in June 2020 (via NBC), Teiranni Kidd of Mobile, Alabama, is accusing Springhill Memorial Hospital and its owners of failing to mitigate a crippling cyber-attack and then conspiring to hide

The long-awaited release of the new James Bond movie is being exploited by cyber-criminals, according to cybersecurity company Kaspersky.  No Time to Die is actor Daniel Craig’s fifth and final fling with the internationally renowned 007 spy character created by author Ian Fleming. Bond first entered the public consciousness in 1952 with the publication of Fleming’s

Crime-fighters in Europe and the UK have signed a new agreement to boost cooperation on cybercrime and other investigations. The working agreement between the UK’s National Crime Agency (NCA), which investigates serious and organized crimes, and Europol will sit under the UK-EU trade and cooperation agreement (TCA). That’s the limited post-Brexit free trade agreement between

Two-fifths (40%) of business executives would be willing to pay at least a five-figure ransom to restore operations following an attack, going against the advice of governments and law enforcement, according to a new report. Arctic Wolf polled 500 decision-makers from UK firms with over 1000 employees to better understand their security challenges in the new

The UK Cyber Security Council has announced the appointment of four new trustees, taking its total number to eight. The new trustees come with a range of backgrounds and expertise, designed to add legal, governance and education expertise to the Board of Trustees of the Council. They were appointed following a recruitment and selection process overseen by

America’s head of state, Joe Biden, has announced plans to hold a meeting with representatives of 30 different countries later this month to discuss ransomware and other cybersecurity issues.  In a statement released to coincide with the first day of America’s annual Cybersecurity Awareness Month, President Biden said that the chief purpose of the confab would be to address

The owner of two chains of American luxury department stores has warned 4.6 million Neiman Marcus customers that their personal data may have been exposed in a security incident that happened 17 months ago.  Neiman Marcus Group, which owns the Neiman Marcus and Bergdorf Goodman department stores, as well as the high-end home goods line

Today marks the start of the 18th Annual Cybersecurity Awareness Month in America, and this year’s theme is “Do Your Part. #BeCyberSmart.” The digital safety initiative was launched back in October 2004 by the National Cyber Security Alliance and the United States Department of Homeland Security to help the public stay safe and secure while

by Paul Ducklin Thanks to James Cope and Rajeev Kapur of Sophos IT for their help with this article. Researchers at a cybersecurity startup called Guardicore just published a report about an experiment they conducted over the past four months… …in which they claim to have collected hundreds of thousands of Exchange and Windows passwords

by Paul Ducklin VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products. All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as

by Paul Ducklin Apple’s iOS 15 is now out – the very latest software version for iPhones, just in time for the official launch of the new iPhone 13 later in the week. (Yes, you can buy an iPhone 13 today, but only by placing what modern sales and marketing jargon refers to as a

by Paul Ducklin We’ve been warning about fake courier scams on Naked Security for many years, even before the coronavirus pandemic increased our collective reliance on home deliveries. These scams can take many different forms, including: A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used

by Paul Ducklin You might be forgiven for thinking that cybercrime is almost all about ransomware and cryptocoins these days. In a ransomware attack, the crooks typically blackmail you to send them cryptocurrency in return for giving you your stolen data back (or for not selling it on to someone else). In a cryptocoin attack,

by Paul Ducklin [00’22”] Guess what? iOS 12 wasn’t dead, it was just resting. [03’04”] Let’s Encrypt brings HTTPS to everyone. [12’12”] Researchers rediscover an Outlook data leakage issue. [25’34”] VMware keeps it real. [28’47”] Oh! No! When the mouse is away, the cat will play. With Paul Ducklin and Doug Aamoth. Intro and outro

by Paul Ducklin A not-yet-published paper from researchers in the UK has been making media headlines because of its dramatic claims about Apple Pay. Apple-centric publication 9to5Mac covered it with a headline that was almost a story in itself: Apparent flaw allows hackers to steal money from a locked iPhone, when a Visa card is