Month: January 2022

by Paul Ducklin Typefaces can be a tricky business, both technically and legally. Before word processors, laser printers and digital publishing, printed materials were quite literally “set in metal” (or wood), with typesetters laying out lines and pages by hand, using mirror-image letters cast on metal stalks (or carved into wooden blocks) that could be

The US government has effectively stripped another Chinese telecoms player of its license to operate in the country on national security grounds. The new Federal Communications Commission (FCC) order ends the ability of China Unicom Americas to provide telecoms services within the US. It follows a March 2021 finding by the FCC in which it

by Paul Ducklin Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on. In fact, that vulnerability, now known as CVE-2022-22594, showed up in

New research from managed detection and response (MDR) provider Expel found that most ransomware attacks in 2021 were self-installed.  The finding was included in the company’s inaugural annual report on cybersecurity trends and predictions, Great eXpeltations, published on Thursday.  Researchers found eight out of ten ransomware infections occurred after victims unwittingly opened a zipped file containing malicious

by Paul Ducklin A Naked Security reader in the UK alerted us to a scam they received this afternoon in a text message. The message claimed to come from the NHS, Britain’s National Health Service, which administers coronavirus vaccinations and provides free testing throughout the country: As you probably know, PCR tests, which currently require

The Federal Bureau of Investigation (FBI) has issued a Private Industry Notice on protecting against malicious activity by Iranian cyber company Emennet Pasargad (formerly known as Eeleyanet Gostar). Two Iranian nationals employed by the company were indicted on October 20 2021 by a grand jury in the US District Court for the Southern District of New York

by Paul Ducklin You’ve probably had 42 emails already this week to tell you this… …but we’re going to say it anyway: “Happy Data Privacy Day!” Don’t panic. We’re not going to assail you with an academic argument about asserting your privacy, or provoke you with a polemic positing that privacy and a private life

The National Cyber Security Centre (NCSC) has warned UK organizations to prepare for Russian cyber-attacks amid ongoing geopolitical tensions in Ukraine. The new guidance follows numerous malicious cyber-incidents in Ukraine in the past month, which the NCSC said corresponds with past Russian behavior. These include more than a dozen Ukrainian government websites getting taken offline in a cyber-attack, while

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A leading maker of network-attached storage (NAS) devices is urging customers to upgrade to the latest software version and reconfigure their systems in order to thwart a new ransomware campaign. Taiwan vendor QNAP released a statement yesterday in response to the mounting threat from a new variant known as “DeadBolt.” It advised customers to ensure their

by Paul Ducklin Researchers at Qualys have revealed a now-patched security hole in a very widely used Linux security toolkit that’s included in almost every Linux distro out there. The bug is officially known as CVE-2021-4034, but Qualys has given it a funky name, a logo and a web page of its own, dubbing it

There’s been a 29% increase in the number of vulnerabilities exploited by ransomware groups to compromise their targets over the past year, according to a new industry report. The Ransomware Spotlight Year End Report was written by security vendors Ivanti and Cyware alongside CVE numbering authority Cyber Security Works. It’s compiled from multiple data sources, including Ivanti and

by Paul Ducklin Many countries have taxation forms with names that have entered the general vocabulary, notably the abbreviations of documents that employers are obliged to provide to their staff to show how much money they were paid – and, most importantly, how much tax was already witheld and paid in on the employee’s behalf.

Security experts have stood up for cybersecurity whistleblowers after a report on Monday claimed a senior employee at a well-known carmaker was fired after raising concerns about fraud. The Volkswagen staffer was dismissed weeks after raising the alarm about possible vulnerabilities in the company’s payments platform, Volkswagen Payments SA, which JP Morgan bought a 75%

by Naked Security writer Russian news agency Tass reported over the weekend that the “purported founder” of a notorious cybercrime group known as Infraud Organisation has been arrested. Naked Security first wrote about law enforcement action against this crime crew almost three years ago, back in February 2018, when the US Department of Justice (DOJ)

The volume of publicly reported data compromises in the US soared 68% year-on-year to a record high of 1862, according to new data from the Identity Theft Resource Center (ITRC). The non-profit said the figure was 23% higher than the previous record, set in 2017. The number of victims was down 5%, continuing a recent trend

Pennsylvania has approved new legislation barring state and local governments from using taxpayers’ money to pay ransoms to cyber-criminals.  Senate Bill 726, amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, was approved by the Pennsylvania Senate on Wednesday. The legislation has now advanced to the House of Representatives for further consideration. The amendment defines ransomware