Security

The second day of Infosecurity Europe 2022 saw Simon Dyson, cyber security operations centre lead for NHS Digital, deliver a roundtable discussion at the Geek Street part of the conference. The session saw Dyson explain how teams can take tangible, actionable steps to boost awareness of cyber risks across their organizations, putting businesses on a

Logistics giant Yodel has confirmed it is experiencing a cyber “incident” which is causing service disruption. The UK delivery company posted an update to its site saying: “We are working to restore our operations as quickly as possible but for now, order tracking remains unavailable and parcels may arrive later than expected.” Although the firm

by Paul Ducklin Remember the Capital One breach? We did, though we felt sure it had happened a long time ago. Indeed, when we checked, it had: the story first broke almost three years ago, back in July 2019. At the time, the company reported: Capital One Financial Corporation announced […] that on July 19,

One of America’s largest banks has suffered a major data breach impacting more than 1.5 million customers. Michigan-headquartered Flagstar Bank generates annual revenues in excess of $1.6bn and describes itself as the country’s sixth-largest bank mortgage originator. Its data breach notification letter revealed the firm experienced unauthorized access to its network several months ago. “After an extensive

by Paul Ducklin Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police? We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to

Content management system (CMS) provider WordPress has forcibly updated over a million sites to patch a critical vulnerability affecting the Ninja Forms plugin. The flaw was spotted by the Wordfence threat intelligence team in June and documented in an advisory by the company on Thursday. In the document, Wordfence said the code injection vulnerability made it

A California man was sentenced to time in prison Wednesday after hacking thousands of iCloud accounts, stealing people’s nude images and videos and sharing them with conspirators. Hao Kuo Chi, acting under the online name of ‘icloudripper4you’, would have illegally obtained the iCloud credentials of approximately 4700 victims and shared their content with other people

Microsoft added a new known issue affecting its operating systems’ Wi-Fi hotspot feature to its official Health Dashboard page. Affecting Windows 10 and 11 machines, the bug would have been introduced with a Windows update the company released earlier this month. “After installing KB5014697, Windows devices might be unable [to] use the Wi-Fi hotspot feature.”

The UK government has proposed new data laws designed to boost economic growth and innovation, in addition to plans to clamp down on nuisance calls and minimize cookie pop-ups online. The Data Reform Bill, published following a consultation period, is designed to update the UK’s existing data rules following the country’s departure from the European Union. It

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. [00’24”] Computer Science in the 1800s. [02’56”] Fixing Follina. [08’15”] AirTag stalking. [16’22”] ID theft site seizure. [19’41”] The Law of Big Numbers versus SMS scams. With Doug Aamoth and Paul Ducklin. Intro

Free VPN software provider BeanVPN has reportedly left almost 20GB of connection logs accessible to the public, according to an investigation by Cybernews. The cache of 18.5GB connection logs allegedly contained more than 25 million records, which included user device and Play Service IDs, connection timestamps, IP addresses and more. Cybernews said it found the

by Paul Ducklin Marion County, right in the middle of the US state of Indiana, and home to the state’s capital Indianapolis, is also currently home to a tragic court case. (Thanks to fellow writers at The Register for that link – we couldn’t get to the official court site while we were writing this

A new report by Telstra Purple’s security forum ClubCISO suggested material security has significantly improved over the last year, driven by a positive shift in organizational influence by chief information security officers (CISOs). The survey analyzed the answers of more than 100 information security executives from private and public organizations worldwide. The majority (54%) said that “no material

by Paul Ducklin A few hours ago, we recorded this week’s Naked Security podcast, right on Patch Tuesday itself. It was just after 18:00 UK time when we hit the mics, which meant it was just after 10:00 Microsoft HQ time, which meant we had access to this month’s official June 2022 Security Updates bulletin

Apple CEO Tim Cook wrote a letter to the US Senate last week to call for stronger privacy legislation at the federal level. The letter, which was first obtained by MacRumors, comes after the release of a draft of the “American Data Privacy and Protection Act” (ADPPA) bipartisan bill. The drafted legislation examines and discusses several facets of

by Paul Ducklin On Thursday this week (16 June 2022 at 15:00 UK time), we’re holding a free webinar in which we’ll give you a live explanation and demonstration of the “Follina” vulnerability. Although this bug is fairly easy to deal with (a simple registry change rolled out via Group Policy will largely immunise your

There has been much activity in recent years around the use of blockchain to provide more integrity and privacy to transactions, but there are some privacy issues organizations need to know about. In a session at the RSA Conference 2022, Jim Amsler, director governance, risk and compliance, at BDO and Greg Schu, partner, national compliance lead,

A new advanced persistent threat (APT) actor dubbed Aoqin Dragon and reportedly based in China, has been linked to several hacking attacks against government, education and telecom entities mainly in Southeast Asia and Australia since 2013. The news comes from threat researchers Sentinel Labs, who published a blog post on Thursday describing the decade-long events. “We assess

There are a few bad IT practices that are dangerous for any organization and particularly for organizations in critical industries like healthcare. At the RSA Conference 2022, Donald Benack, deputy associate director at the Cybersecurity and Infrastructure Security Agency (CISA), and Joshua Corman, founder of I am the Cavalry, outlined what the US Government sees as

Threat modeling is an approach that can potentially be overly complicated, but it doesn’t have to be that way, according to Alyssa Miller, business information security officer (BISO) at S&P Global Rating, in a session at the RSA Conference 2022, Miller also explained an approach for plain language threat modeling that can help accelerate DevSecOps efforts.

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Insights into recent cyber-threat activity was provided by Forescout’s VP of threat defense, Sean Taylor, during a session at the RSA Conference 2022. Setting the scene, Taylor stated that in international threat intelligence, “understanding your adversary is key.” He then highlighted attacks conducted by Russian state-backed attackers on Ukraine prior to the invasion. At the

by Paul Ducklin SSN is an abbreviation that’s specific to America, and DOB is shorthand that’s specific to the English language. Nevertheless, their meanings are widely known throughout the world, not least because of their widespread use in reports and discussions about identity theft and cybercrime. SSN is short for Social Security Number, which is

The ways federal agencies can strengthen national cybersecurity were discussed in a keynote session on day two of the RSA Conference 2022. Moderated by Bobbie Stempfley, vice president and business unit security officer, Dell Technologies, the session had contributions from three key personnel involved in the US government’s cybersecurity strategy: Jen Easterly, director of the Cybersecurity

by Paul Ducklin Over on our sister site, Sophos News, we’ve just published some fascinating and informative insights into cybercriminals… …answering the truly practical question, “How do they do it?” In theory, the crooks can (and do) use any and all of thousands of different attack techniques, in any combination they like. In real life,

The need for new approaches to improve cyber-threat intelligence was highlighted by Michelle Flournoy, Co-Founder and Managing Partner of WestExec Advisors, and Avril Haines, Office of the Director of National Intelligence (ODNI), in a keynote session on day one of the RSA Conference 2022. Flournoy began by observing that “we are living in a very different

Hybrid working and cloud migration during the course of the pandemic has led to a surge in DNS-related attacks, with application downtime and data theft a major consequence, according to IDC. The analyst’s 2022 Global DNS Threat Report is sponsored by security vendor efficientIP and compiled from interviews with over 1000 global organizations with more

Global healthcare organizations (HCOs) experienced a 94% year-on-year surge in ransomware attacks last year, with almost twice as many electing to pay their extorters, according to new data from Sophos. The security vendor commissioned Vanson Bourne to compile its report, The State of Ransomware in Healthcare 2022, from interviews with 381 IT pros in 31

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. [00’36”] This Week in Tech. Naming a computer after a famous scientist doesn’t always help. [02’25”] The wacky but dangerous 0-day hole in Windows. [14’14”] Supply chain attacks and the crooks who orchestrate

Connecticut Governor Ned Lamont officially signed into law the Public Act No. 22-15, titled ‘An Act Concerning Personal Data Privacy and Online Monitoring’ on May 10. Commonly referred to as the Connecticut Privacy Act (CTPA), the new legislation provides consumers with enhanced privacy rights, including the right of access, rectification and deletion of data. It also provides the