Security

The European Union Parliament adopted the Digital Operational Resilience Act (DORA) on November 10, 2022. Set to be enshrined into law at the end of 2022, DORA will introduce a comprehensive set of rules for financial organizations to strengthen their digital operational resilience and prevent and mitigate cyber threats. With this new regulation in mind,

by Paul Ducklin Over the past year, we’ve had the unfortunate need to warn our readers not once, but twice, about a scam we’ve dubbed CryptoRom, a portmanteau word formed from the terms “Cryptocurrency” and “Romance scam”. Simply put, these scammers use a variety of techniques, notably including prowling on dating sites, to meet people

A Vietnam-based hacking operation dubbed “Ducktail” is targeting individuals and companies operating on Facebook’s Ads and Business platform. Security researchers at WithSecure discovered the campaign earlier this year and described new developments in an advisory published earlier today. “We don’t see any signs of Ducktail slowing down soon, but rather see them evolve rapidly in

by Paul Ducklin Just under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange. As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082: [were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a

Google has announced a legal victory against two Russian nationals connected with the Glupteba botnet. In a blog post last Friday, the tech giant said the court’s ruling against the botnet operators set a crucial legal precedent and sends a warning to cyber-criminals and their accomplices. “Last December, Google’s Threat Analysis Group (TAG) shared the

by Paul Ducklin Phishing scams that try to trick you into putting your real password into a fake site have been around for decades. As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because: Password managers

A credential phishing attack reportedly targeted 22,000 students at national educational institutions with a campaign impersonating Instagram. The information comes from security experts at Armorblox, who highlighted the new threat in an advisory on November 17, 2022.  “The subject of this email encouraged victims to open the message,” reads the technical write-up. The goal of this

On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) published the final part of its three-section series on securing the software supply chain. The publication, which follows the August 2022 release of guidance for developers and the October 2022 release of guidance for suppliers, provides recommended practices for customers to ensure the integrity and

Shoppers should stay alert on Black Friday as hackers launch new scams in the lead-up to the event. Check Point Research (CPR) said the team has already observed a sharp increase in shopping-related phishing scams, with threat actors imitating well-known brands. “While consumers are getting ready to bag the best deal, cybercriminals are taking advantage

by Paul Ducklin Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter

Swiss authorities have apprehended a Ukrainian national wanted by the Federal Bureau of Investigation (FBI) for 12 years for connections with a cyber-criminal group that stole millions of dollars from bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov was arrested in Geneva on October 23, 2022, and is now pending extradition to the US,

by Paul Ducklin DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it. Click-and-drag on the soundwaves below to skip to any point. You can also listen

Google has announced plans to roll out the initial Privacy Sandbox Beta to Android 13 mobile devices earlier next year. Initially unveiled in February, the project aims to bring new and more private advertising solutions to mobile. “Over the course of 2022, we’ve published design proposals and released a number of Developer Previews,” Android product

by Paul Ducklin Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month. (As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times

State-sponsored actors in the Billbug group (aka Lotus Blossom and Thrip) have tried to compromise a digital certificate authority in an Asian country during a campaign targeting multiple government agencies. Security researchers from Symantec have made the discovery and shared the findings in an advisory published earlier today. “In activity documented by Symantec in 2019,

by Paul Ducklin Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage. Their report includes an explanation of how the bug works, plus proof-of-concept (PoC) code showing how to exploit it. Backstage is what’s known as a cloud developer portal

Code hosting company GitHub has unveiled a new direct channel for security researchers to report vulnerabilities in public repositories. The feature needs to be manually enabled by repository maintainers and, once active, enables security researchers to report any vulnerabilities identified in their code. “Owners and administrators of public repositories can allow security researchers to report

by Naked Security writer He was sentenced under his real-life name of Ramon, but in back in his boastful days of pretending to be a seriously successful real estate agent based in Dubai, you may have seen and heard of him as Ray, or, to give him his full nickname, Ray Hushpuppi. To be clear,

Several of Twitter’s C-level security and privacy executives have resigned following the chaos that ensued from the Elon Musk acquisition of the social media platform. “I’ve made the hard decision to leave Twitter,” said the company’s now-former chief information security officer Lea Kissner in a tweet on Thursday. “I’ve had the opportunity to work with

A Russian and Canadian national has been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands in connection with the LockBit global campaign. Mikhail Vasiliev, 33, was apprehended in Bradford, Ontario yesterday and is currently in custody in Canada, awaiting extradition to the US. “This arrest is the result of over

by Paul Ducklin Remember those Exchange zero-days that emerged in a blaze of publicity back in September 2022? Those flaws, and attacks based on them, were wittily but misleadingly dubbed ProxyNotShell because the vulnerabilities involved were reminiscent of the ProxyShell security flaw in Exchange that hit the news in August 2021. Fortunately, unlike ProxyShell, the

The Cybersecurity and Infrastructure Security Agency (CISA) has published a new guide on Stakeholder-Specific Vulnerability Categorization (SSVC). This vulnerability management methodology is designed to assess vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts on safety and prevalence of the affected product in a singular system. SSVC was first created by CISA in collaboration

by Paul Ducklin A bug bounty hunter called David Schütz has just published a detailed report describing how he crossed swords with Google for several months over what he considered a dangerous Android security hole. According to Schütz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life

Three vulnerabilities have been discovered in the UEFI firmware of several Lenovo notebooks. Tracked CVE-2022-3430, CVE-2022-3431 and CVE-2022-3432, the flaws have been found by security researchers at ESET and affect various Lenovo Yoga, IdeaPad and ThinkBook devices. The first of the vulnerabilities is a flaw in the WMI Setup driver, which may allow an attacker with elevated privileges to modify

by Paul Ducklin THREE BILLION DOLLARS IN A POPCORN TIN? Radio waves so mysterious they’re known only as X-Rays. Were there six 0-days or only four? The cops who found $3 billion in a popcorn tin. Blue badge confusion. When URL scanning goes wrong. Tracking down every last unpatched file. Why even unlikely exploits can

A path-traversal vulnerability has been discovered in ABB Totalflow flow computers and controllers that could lead to code injection and arbitrary code execution (ACE). The high-risk vulnerability (tracked CVE-2022-0902) has a CVSS v3 of 8.1 and affected several ABB G5 products. It has been discovered by security experts at Team82, Claroty’s research arm. “Attackers can exploit this

by Paul Ducklin No sooner had we stopped to catch our breath after reviewing the latest 62 patches (or 64, depending on how you count) dropped by Microsoft on Patch Tuesday… …than Apple’s latest security bulletins landed in our inbox. This time there were just two reported fixes: for mobile devices running the latest iOS

Twelve percent of all employees take sensitive intellectual property (IP) with them when they leave an organization. The data comes from workforce cyber intelligence and security company Dtex, which published a report about top insider risk trends for 2022 earlier today. “Customer data, employee data, health records, sales contacts, and the list goes on,” reads

by Paul Ducklin Here’s an important thing to remember about jurisprudential arithmetic, where two negatives definitely don’t make a positive: stealing money from someone who originally acquired it through criminal means doesn’t “cancel out” the criminality. You can still go to prison for a very lengthy stretch, and here’s one way. Remember Silk Road? Not

Australia’s largest health insurer Medibank has announced it will not pay a ransom to the threat actors behind the October data breach affecting 9.7 million customers. Writing on LinkedIn over the weekend, Medibank CEO David Koczkar said that, based on the advice the company has received from cybercrime experts, they believe that there is only a