by Paul Ducklin You’ve probably heard of Let’s Encrypt, an organisation that makes it easy and cheap (in fact, free) to get HTTPS certificates for your web servers. HTTPS, short for secure HTTP, relies on the encryption protocol known as TLS, which is short for transport layer security. TLS encrypts and protects the data you
Security
by Paul Ducklin [02’01”] A scarily exploitable hole in Microsoft open source code. [10’00”] A simpler take on delivery scams. [19’26”] Memory lane: cool mobile devices from the pre-iPhone era. [23’24”] A Face ID bypass hack, patched for the initial release of iOS 15. [35’21”] Oh! No! When you can’t get into the server (room).
by Paul Ducklin If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday… …had been dumped forever by Apple. Apple notoriously won’t tell you anything about the security situation in its
A cyber-criminal who defrauded American telecommunications giant AT&T out of more than $200m through a phone-unlocking bribery scheme has been sentenced to prison. Muhammad Fahd, a 35-year-old citizen of Pakistan and Grenada, led a seven-year conspiracy in which AT&T employees were bribed to unlawfully unlock nearly two million customers’ cell phones for profit. The plot began in
More Native American tribes are going to be given enhanced access to critical databases containing national crime information for the United States. In an announcement made September 16, the Department of Justice said that 12 tribes have been newly selected to participate in the Tribal Access Program for National Crime Information (TAP), bringing the total number of
Over $133m has already been lost this year to romance scams, with victims increasingly urged to invest in fraudulent cryptocurrency opportunities, according to the FBI. A new Public Service Announcement was published yesterday revealing that the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints from January 1 to June 31 this year, resulting in soaring
by Paul Ducklin The September 2021 Patch Tuesday updates from Microsoft came out this week. The fix that everyone was waiting for with bated breath was the patch for CVE-2021-40444, a zero-day remote code execution bug in MSHTML that was announced by Microsoft just days before Patch Tuesday came around: Windows zero-day MSHTML attack –
Three big-name UK brands have been collectively fined nearly half a million pounds by the privacy regulator after sending hundreds of millions of nuisance marketing messages to consumers. We Buy Any Car was fined £200,000 by the Information Commissioner’s Office (ICO) after bombarding consumers with over 191 million emails and 3.6 million nuisance texts. Saga Services and Saga Personal
by Paul Ducklin [01’28”] Apple patches two zero-day bugs. [09’25”] Microsoft patches one zero-day bug. [15’49”] A security researcher finds a fast-food bug (non-insect sort). [23’04”] Oh! No! A touchpad user turns right into left, and vice versa. (See also: Big Office bug squashed for September 2021 Patch Tuesday.) With Paul Ducklin and Doug Aamoth.
Three former members of the United States military or United States Intelligence Community (USIC) have been fined for providing hacking-related services to a foreign government. United States citizens, 49-year-old Marc Baier and 34-year-old Ryan Adams, and 40-year-old former US citizen Daniel Gericke were investigated by the Department of Justice (DOJ) over claims that they had violated U.S.
by Paul Ducklin Articles in our Serious Security series are often fairly technical, although we nevertheless aim to keep them free from jargon. In the past, we’ve dug into into topics that include: website hacking (and how to avoid it), numeric computation (and how to get it right), and post-quantum cryptography (and why we’re getting
Global financial services firms spent more than $2m on average recovering from a ransomware attack last year, according to new data from Sophos. The UK security vendor polled 550 IT decision-makers in mid-sized financial sector firms around the globe to compile its State of Ransomware in Financial Services 2021 report. It found that a third (34%) of firms
by Paul Ducklin You know what we’re going to say, so we’ll say it right away. Patch early, patch often. Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems. They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though
Messaging giant WhatsApp is set to roll out end-to-end encrypted (E2EE) backups later this year, in what privacy campaigners claim to be another win for user privacy and security. The Facebook-owned company said it had designed an entirely new system for encryption key storage to support the new service. “With E2EE backups enabled, backups will be encrypted
A Ukrainian accused of decrypting the credentials of thousands of computers across the globe and selling them on the dark web has been extradited to the United States. US authorities indicted Glib Oleksandr Ivanov-Tolpintsev in October 2020 in connection with charges of conspiracy, trafficking in unauthorized access devices, and trafficking in computer passwords. Polish authorities arrested 28-year-old
A student who hacked into a British university’s computer network and made thousands of dollars by selling the answers to exams has been sentenced to prison. Hayder Aljayyash, who is 29 and was born in Iraq, was welcomed into the UK as an asylum seeker. Between November 2017 and May 2019, Aljayyash illegally accessed the
Cloud security company Menlo Security has appointed Devin Ertel as its Chief Information Security Officer (CISO). Ertel takes up the post following nearly 20 years of experience as an information security professional. Most recently, he was CISO at FinTech firm BlackHawk Network, where he managed a global team responsible for security, risk and compliance. Prior
by Paul Ducklin [00’18”] Sign up free for our Security SOS Week 2021! [02’54”] Overlooked security flaw leaves web code vulnerable. [13’51”] A home alarm system that almost anyone can turn off. [25’06”] Some fascinating Firefox bugs fixed. [31’02”] Oh! No! When you grab your laptop… but it’s not yours. With Paul Ducklin and Doug
Securing the new hybrid workplace may require significant changes to culture, policy and technology after new HP research revealed significant pushback from remote workers during the pandemic. The tech giant surveyed over 1000 IT decision-makers and more than 8400 workers across the globe to compile its latest HP Wolf Security study, Rebellions & Rejections. It revealed that nearly
by Paul Ducklin Details are scarce so far, but Microsoft is warning Office users about a bug that’s dubbed CVE-2021-40444, and described as Microsoft MSHTML Remote Code Execution Vulnerability. The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad
Over half (51%) of cybersecurity professionals are kept up at night by the stress of the job and work challenges, according to CIISec’s 2020/21 State of the Profession report. The survey of 557 security professionals found that stress and burnout have become a major issue during the COVID-19 pandemic. This is partly due to overwork — the study found
Germany has accused Russia of attempting to influence its upcoming general election through a wave of cyber-attacks. The German Foreign Ministry said it had “reliable information” that hackers working for Russia’s GRU military intelligence service tried to steal login details of federal and state lawmakers. This is likely for the purpose of misleading voters by
by Paul Ducklin Not long ago, independent software developer Tim Perry, creator of the HTTP Toolkit for intercepting and debugging web traffic… …decided to add proxy support to his product, which, like lots of software these days, is written using Node.js. ICYMI, Node.js is the project that took the JavaScript language out of your browser
US government security experts have urged system administrators to patch two critical flaws in widely used Cisco and Atlassian products, exposing them to compromise. In a rare move, US Cyber Command took to Twitter before the Labor Day holiday weekend on Friday to address the Atlassian bug. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing
Another Accellion breach victim has been named nine months after threat actors exploited zero-day vulnerabilities in the company’s File Transfer Application. Beaumont Health has notified approximately 1500 patient that their personal data may have been compromised in the December attack on Accellion software. Goodwin Procter LLP, which was hired by Beaumont to provide legal services, used Accellion’s File Transfer software
Two new senior cybersecurity appointments have been announced by the United States Department of Homeland Security. Former lead solution engineer at Salesforce, David Larrimore, has been named as the Department’s chief technology officer. Between 2016 and 2019, Larrimore occupied the same position at the Immigration and Customs Enforcement (ICE) component. Other roles held by Larrimore include an
by Paul Ducklin [02’00”] Security code flushes out security bugs. [15’48”] Recursion: see recursion. [26’34”] Phishing (and lots of it). [33’09”] Oh! No! The Windows desktop that got so big it imploded. With Paul Ducklin and Doug Aamoth. Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the soundwaves below to skip to
Tech giant Apple has announced that eight US states will start accepting driver’s licenses and other state IDs that are stored on iPhones and Apple Watch. Arizona and Georgia will be the first states to allow their residents to use this system, and will be followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah. The
by Paul Ducklin A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product. The first bug, reported back in May 2021 and dubbed CVE-2021-39276, means that an attacker who knows the email address against which you registered your product can effectively use your
A team of researchers at a UK university have designed a new device, which they claim will mitigate the risk of malicious USB drives. The “external scanning device” was designed at Liverpool Hope University and will soon go into production, having been granted a patent by the Indian government. It has been engineered to overcome