by Paul Ducklin “It’s Log4Shell, Jim,” as Commander Spock never actually said, “But not as we know it.” That’s the briefest summary we can come up with of the bug CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog. This time, the bug isn’t in Apache’s beleagured Log4j toolkit,
Month: January 2022
A mix-up at a school in Worcestershire, England, caused parents to receive the Covid-19 test results of other people’s children. The data breach, reported today by the Evesham Journal, occurred at co-educational secondary school and sixth-form college The De Montfort School (TDMS) in Evesham, which is part of the Four Stones Multi Academy Trust. Students returning
The internet’s greatest feat? Fundamentally shifting how we live. Once a revelation, it quickly set our long-standing beliefs about how we work, play, and connect into a whole new context. Today, the shifts come fast. Video meetings once felt alien. Now, they’re part of our routine. We’ve gone from setting doctor’s appointments online to actually
A sea of sensors will soon influence almost everything in your world Probably for the first time in its history, CES has more sensors on the show floor than attendees. What the show lacks in physical attendees, it makes up for with the sheer volume and variety of tiny sensors that will influence almost everything
The Commission nationale de l’informatique et des libertés (CNIL), France’s data protection watchdog, has slapped Facebook (now Meta Platforms) and Google with fines of €150 million ($170 million) and €60 million ($68 million) for violating E.U. privacy rules by failing to provide users with an easy option to reject cookie tracking technology. “The websites facebook.com,
by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
A cyber-attack on American hospitality chain McMenamins may have exposed data belonging to its current and former employees. The business, which owns and operates brewpubs, breweries, music venues, historic hotels, and theater pubs in Oregon and Washington, issued a data breach notice after suffering a ransomware attack. Suspicious activity was identified in the company’s computer network on
Introduction In February 2021, the company Dbappsecurity discovered a sample in the wild that exploited a zero-day vulnerability on Windows 10 x64. The vulnerability, CVE-2021-1732, is a win32k window object type confusion leading to an OOB (out-of-bounds) write which can be used to create arbitrary memory read and write capabilities within the Windows kernel (local
From social engineering to looking over your shoulder, here are some of the most common tricks that bad guys use to steal passwords The concept of the password has been around for centuries and passwords were introduced into computing way sooner than most of us can remember. One reason for the enduring popularity of passwords
VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems. The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary
by Paul Ducklin The Federal Trade Commission (FTC) is the US consumer rights body, and it has sailed into 2022 with a bang, not a whimper. Using the infamous Log4Shell vulnerability as what you might call its Exhibit A, the FTC has fired a shot across the bows of companies in US jurisdictions, telling them
Police in India have launched an investigation into an app featuring images of Muslim women described as being “for sale as maids.” Open-source online auction application Bulli Bai was hosted by GitHub but has now been removed from the online platform. Indian minister for information and technology Ashwini Vaishnawm said on Saturday that GitHub also
It happens with more regularity than any of us like to see. There’s either a headline in your news feed or an email from a website or service you have an account with—there’s been a data breach. So what do you do when you find out that you and your information may have been caught
How can you help your kids navigate Instagram safely? Here are a few tips to help you protect their privacy on the app. While many teens have recently been captivated by other social media apps du jour, most notably TikTok, Instagram continues to hold its own among young internet users. Indeed, children aged 13-17 make
Threat actors leveraged a cloud video hosting service to carry out a supply chain attack on more than 100 real estate websites operated by Sotheby’s Realty that involved injecting malicious skimmers to steal sensitive personal information. “The attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded
by Paul Ducklin A security research called Trevor Spiniolas has just published information about a bug he claims has existed in Apple’s iOS operating system since at least version 14.7. The bug affects the Home app, Apple’s home automation software that lets you control home devices – webcams, doorbells, thermostats, light bulbs, and so on –
Be alert, be proactive and break these 10 bad habits to improve your cyber-hygiene in 2022 The new year is a new opportunity to rewire your digital life. An increasingly important part of this is cybersecurity. In fact, 2021 is already shaping up to have been one of the most prolific years yet for cybercriminals.
Trojanized installers of the Telegram messaging application are being used to distribute the Windows-based Purple Fox backdoor on compromised systems. That’s according to new research published by Minerva Labs, describing the attack as different from intrusions that typically take advantage of legitimate software for dropping malicious payloads. “This threat actor was able to leave most
The internet is meant for all to enjoy. And that’s who we’re looking out for—you and everyone who wants to enjoy life online. We believe it’s important that someone has your back like that, particularly where some of today’s hacks and attacks can leave people feeling a little uneasy from time to time. You’ve probably seen stories about data breaches at big companies pop up in your news feed. Or perhaps you or someone you know had their debit or credit card number hacked. Problems
Microsoft, over the weekend, rolled out a fix to address an issue that caused email messages to get stuck on its Exchange Server platforms due to what it blamed on a date validation error at around the turn of the year. “The problem relates to a date check failure with the change of the new
Consumers have been warned to stay vigilant of delivery scam texts while online shopping for Christmas and during the Boxing Day sales. UK Finance cited new data from cybersecurity firm Proofpoint showing that delivery ‘smishing’ scams are surging amid the busiest shopping period of the year. This showed that over half (55.94%) of all reported smishing text
Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature that’s dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. DanderSpritz came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the
A Texas resident has been convicted of stealing hundreds of thousands of dollars from a school district in Idaho through a business email compromise (BEC) scam. Teton School District 401, which serves 1,800 students in seven schools in Teton County, fell victim to the cybercrime three years ago. In 2018, the district’s business manager, Carl Church,
A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Panda has been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems. Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed “large academic