Security

by Paul Ducklin Early in April 2022, news broke that various users of Microsoft’s GitHub platform had suffered unauthorised access to their private source code. GitHib has now updated its incident report to say that it is “in the process of sending the final expected notifications to GitHub.com customers who had either the Heroku or

A cyber-attack on a hotel reservation system has exposed the personal data of thousands of guests who stayed at upscale Finnish hotels. News of the security incident, which has impacted at least five hotels, was first reported by Finnish news agency MTV on Tuesday.  Between February 10 and 14, cyber-attackers exploited a vulnerability to hack

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.Or simply drop the URL

Deepfake technology is set to be used extensively in organized crime over the coming years, according to new research by Europol. Deepfakes involve the application of artificial intelligence to audio and audio-visual consent “that convincingly shows people saying or doing things they never did, or create personas that never existed in the first place.” Facing Reality?

by Paul Ducklin Even if you’re not a native speaker of English, you’ve probably heard the curious saying, “It’s a bit of a Curate’s Egg”, referring to something about which you’re determined to keep a positive public attitude, even if your immediate private reaction was to be disappointed. The saying has certainly stood the test

Most organizations have suffered a data breach connected with a shortage of skills in the cybersecurity industry, according to new research published today. Fortinet’s 2022 Cybersecurity Skills Gap Report identified multiple risks associated with cybersecurity’s skills gap. Most (80%) organizations surveyed for the report said they had suffered at least one breach they could attribute to a

The British Army’s online recruitment portal has been offline for more than a month following a data breach.  Officials shut the computerized enrollment system down in the middle of March as a precaution after the personal data of more than 100 army recruits was found being offered for sale on the dark web. An investigation

by Paul Ducklin We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward. In cybersecurity, KISS cuts two ways. KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.

Email accounts at a Kansas hospital were compromised for nearly a year in a prolonged data breach affecting more than 52,000 individuals. Emporia-based Newman Regional Health was breached by an unauthorized threat actor last year. In a data security notice on its website, the healthcare provider disclosed that the actor was able to access a limited number of email

An American respiratory care provider is facing multiple lawsuits over a data breach that allegedly exposed the personal information of more than 300,000 current and former patients. SuperCare Health, headquartered in Downey, California, began notifying patients of a data security incident in late March. According to a notice on the healthcare provider’s website, SuperCare Health discovered unauthorized activity on

A Canadian youth employment services provider has launched a free cybersecurity training program. Funded by the Government of Ontario’s Skills Development Fund, the new program offered by Youth Employment Services (YES) aims to help Canadian youngsters who disclose mental health issues and Ukrainian refugees find work in the cybersecurity industry.  YES president and CEO Timothy Lang said:

by Paul Ducklin QNAP, the makers of Networked Attached Storage (NAS) devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company’s products. Home and small office NAS devices, which typically range in size from that of a small dictionary to that of a large

Pennsylvania-based convenience store and gas station chain Wawa is seeking the return of penalties it paid to Mastercard following a 2019 data breach of its customer payment security systems. In December 2019, Wawa CEO Chris Gheysens announced that malware that steals credit card information had potentially been operating at Wawa’s 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC

The company behind a popular American brand of whole-grain foods has notified its online customers that their personal data may have been exposed in a recent cyber-attack. Bob’s Red Mill Natural Foods issued a data breach notice on April 15 after learning that it had fallen victim to a data scraping cyber-attack that began two months ago. “We

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. [00’24”] Fun Fact. Do you know your Adam Osborne from your John Osbourne? [01’12”] Another 0-day in Chrome. [05’03”] How not to choose a cybersecurity holiday destination. [07’37”] This Week in Tech History.

The US government has warned that North Korean state-sponsored cyber actors are targeting organizations in the blockchain and cryptocurrency industries. A joint advisory issued this week by the FBI, CISA and the US Treasury revealed that the notorious Lazarus APT group is targeting organizations operating in this sector using trojanized cryptocurrency applications. These include crypto exchanges, cryptocurrency

by Paul Ducklin Oracle’s latest quarterly security updates just arrived. Unlike other software behemoths such as Microsoft, Adobe and Google, who produce official security updates once a month, thus following a schedule that is both regular and frequent, Oracle has historically and resolutely stuck to just four scheduled updates a year. Even Apple, which notoriously

Senior US officials have stepped up their warnings about Russian cyber-attacks on critical national infrastructure (CNI) as the war in Ukraine intensifies. During an interview on “60 Minutes” on CBS, Deputy Attorney General Lisa Monaco from the Department of Justice (DoJ) and Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly discussed cyber-threats and the

by Paul Ducklin Back when the Bitcoin protocol was invented, the idea was to build a simple global payment system that wasn’t (and couldn’t be) controlled by any central broker. In other words, you wouldn’t need to apply to a private company for a credit card, or to get permission from a regulator to send

A Ukrainian energy supplier was targeted by a new variant of Industroyer malware named Industroyer2. The discovery was made by researchers from cybersecurity vendor ESET in collaboration with the Ukrainian Computer Emergency Response Team (CERT-UA). The Industroyer malware was believed to have been used by the Sandworm APT group to cut power in Kiev, Ukraine, back in 2016. In

The developer of a popular WordPress plugin has updated its product to fix a critical vulnerability that could be exploited to change the appearance of websites. Elementor is marketed as a leading website building platform for WordPress, enabling over five million users to easily create websites for themselves or their business without writing any code. However,

Microsoft has revealed how a coordinated operation helped disrupt a notorious Trojan used widely around the world to facilitate ransomware and other attacks. ZLoader was spawned from the infamous Zeus banking Trojan, but like similar malware TrickBot and Emotet, it underwent significant development over the years, adding new functionality. As such, it soon evolved from

by Paul Ducklin For the third time this year, Google’s Chrome browser has quietly received a security update together with the dreaded words, “Google is aware that an exploit […] exists in the wild.” In this case, the bug is officially dubbed CVE-2022-1364: Type Confusion in V8. V8 is Google’s JavaScript engine – the same

The number of publicly reported data breaches in the US increased by double digits year-on-year in the first three months of 2022, according to the Identity Theft Resource Center (ITRC). The non-profit claimed that the increase represents the third successive year in which Q1 figures have exceeded those recorded 12 months previously. The vast majority

The MetroHealth System in Cleaveland, Ohio, recently disclosed a data breach involving 1700 of its patients. In a recent statement, MetroHealth announced that on November 13, while the health system’s electronic medical records systems were being upgraded, 1700 patient records were unintentionally disclosed. The breach involved patient names, care provider names and appointment details. MetroHealth claimed

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

by Naked Security writer The cryptocurrency world is full of weird stories. You’ve probably heard of the Welshman who who claimed he inadvertently threw away a hard disk containing bitcoinage worth $500 million, and went to his local council for permission to dig up the landfill site where he assumed it would have been dumped,

German wind turbine manufacturer, Nordex Group, was hit by a cyber-attack on 31 March 2022, with an update issued by the firm this week. The cyber-attack was detected by IT security team at an early stage, according to Nordex, and response measures were taken quickly. Nordex revealed that the necessary response protocols were taken and IT

A certified ethical hacker has been charged with multiple offenses after stealing a significant sum of cryptocurrency worth nearly $600,000, Police in Pinellas Park, Florida, arrested 27-year old Aaron Daniel Motta after he reportedly stole an elderly client’s Trezor hardware wallet and its password while providing security help. Clearwater Police said that Motta transferred the

by Paul Ducklin Researchers at healthcare cybersecurity company Cynerio just published a report about five cybersecurity holes they found in a hospital robot system called TUG. TUGs are pretty much robot cabinets or platforms on wheels, apparently capable of carrying up to 600kg and rolling along at just under 3km/hr (a slow walk). They’re apparently