Security

California-based respiratory care provider SuperCare Health revealed it had been hit by a data breach that affected more than 300,000 individuals. A recent data security notice posted on its website revealed that it discovered the incident on July 27  2021, when unauthorized activity was detected on a number of its systems. A subsequent investigation revealed that certain systems were

by Paul Ducklin Three years ago, we published an article with the dramatic-sounding title Serious Security: Post-Quantum Cryptography (and why we’re getting it). As you probaby know, so-called quantum computers work in a rather mysterious way compared to conventional computers, inasmuch as they can perform certain sorts of calculation so that they effectively “compute” all

by Paul Ducklin The infamous LAPSUS$ gang, whose curious brand of cyberextortion has been linked with intrusions at Microsoft, Samsung, Okta, Nvidia and others, still seems to be on the boil. According to Microsoft’s own analysis of the gang’s intrusion at Microsoft itself, these hackers use a range of social engineering techniques that go beyond

The multifaceted nature of modern supply chain risks was highlighted by Jon France, CISO for (ISC)², during (ISC)² Secure London this week. France, who was appointed the first-ever CISO of (ISC)² earlier this year, emphasized that rapid digitization across all industries had significantly widened organizations’ threat landscape during COVID-19. “Speed can sometimes be the enemy of risk,” he noted,

by Paul Ducklin The good news in this month’s Android patches is that even though Google’s own updates close off numerous elevation of privilege (EoP) holes, there aren’t any remote code execution bugs on the list. The bad news, of course, is that EoP bugs that directly lead to root access, without any tell-tale signs,

The websites of Finland’s defense and foreign affairs were taken offline today following DDoS attacks. The ministries each confirmed the attacks on Twitter earlier today, although the websites now appear to be back up and running. The nation’s Ministry of Defense wrote at 10.45 am GMT: “The Department of Defense website http://defmin.fi is currently under attack. We

The Information Commissioner’s Office (ICO) is currently investigating a cyber-attack across TrustFord branches throughout the UK. The vehicle dealer group revealed the attack, which is believed to have been committed by the Conti ransomware gang, affected the firm’s internal systems. In particular, access to the internet and phones within the business was affected. However, TrustFord assured

by Paul Ducklin If you’ve ever written technical documentation to use online, you probably started out by creating it directly in HTML (hypertext markup language), so you could drop it directly into your website. You may have used various HTML editors that gave you a real-time but not entirely precise preview, but you’ll have spent

by Paul Ducklin LISTEN NOW [01’34”] LAPSUS$ hacking, 2022-style. [06’11”] Zero-day emergency updates from Apple. [08’46”] Elevation of privilege patches in Android. [09’41”] Bugs fixed in Firefox 99. [11’00”] The SATAN network scanner and its impact on threat reponse. [14’02”] Two confusing bugs in VMware Spring. [20’17”] Old-school hacking, PDP-11 style. Click-and-drag on the soundwaves

The website of Gazprom Neft, the oil arm of Russian state gas company Gazprom, was offline on Wednesday after an alleged hack, in what appears to be the latest hack on a government-associated site following Russia’s invasion of Ukraine. A statement allegedly from Gazprom CEO Alexie Miller, a close friend of President Vladimir Putin, was briefly

by Paul Ducklin German police have located and closed down the servers of Hydra, allegedly one of the world’s biggest underground online stores. Investigators at the Bundeskriminalamt (BKA – the Federal Criminal Police Office) claim that the Russian-language Hydra darkweb site, accessible via the Tor network, had about 17 million customer accounts (many individual buyers

Russian hackers used compromised employee credentials to launch the cyber-attack that severely disrupted internet services in Ukraine last week, it has been claimed today. Kyrylo Honcharuk, CIO of Ukrtelecom, Ukraine’s national telecommunications provider targeted in the attack on March 28, said Russia accessed the account of an employee in a region “recently temporarily” occupied, although

by Paul Ducklin The once-every-four-weeks security update to Mozilla’s Firefox browser officially arrived today. The regular version of Firefox is now 99.0, while the Extended Support Release, which gets security fixes without any feature updates, is now 91.8.0 ESR. Add together the first two numbers in the ESR release triplet and you should get the

Federal police in Germany have disrupted a Russian-language darknet marketplace that specialized in the sale of illicit drugs, forged documents, intercepted data and illegal digital services. In an action coordinated with the United States Justice Department, authorities shut down the Germany-based servers of the Hydra Market on Tuesday, seizing $25m in bitcoin what they allege to be proceeds of crime. 

Cyber-criminals are impersonating the confectioner Cadbury online to steal personal data.  Users of social media platform Facebook and messaging platform WhatsApp have encountered a scam that lures victims with the promise that they will receive a free Easter basket packed with chocolate treats. Cadbury has confirmed that the offer is “not genuine” and has stated that it is taking

The American Public University System (APUS) is joining forces with the US Cyber Command (USCYBERCOM) to help boost the nation’s cybersecurity posture. APUS is a private online learning university system composed of American Military University and American Public University. Each offers a strong cyber defense-focused curriculum at undergraduate and graduate levels. The National Security Agency (NSA)

by Paul Ducklin Tomorrow is 31 March 2022, and the last day of March is World Backup Day… …which is a good time for us to remind you of a little saying that we like. You’ll have heard it before if you listen to the Naked Security Podcast; if so, here it is again, because

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

An employee of the United States National Security Agency (NSA) has been accused of sending national defense secrets from his personal email account.  A 26-count indictment unsealed Thursday in the District of Maryland alleges that 60-year-old Mark Robert Unkenholz willfully transmitted classified National Defense Information (NDI) on 13 occasions between February 14 2018 and June 1 2020.

by Paul Ducklin Apple has just sent out two security advisories covering two zero-day security holes, namely: Apple Bulletin HT213219: Kernel code execution bug CVE-2022-22675. This security fix is for iOS and iPadOS, both of which get updated to version 15.4.1. Apple Bulletin HT213220: Kernel code execution bug CVE-2022-22675 and kernel data leakage bug CVE-2022-22674.

The United States House of Representatives has passed a bill that would change how cybercrime is tracked, measured and reported by the federal government. The Better Cybercrime Metrics Act (S.2629), authored by US senator Brian Schatz, was approved by the House in a bipartisan 377-48 vote on Tuesday. Once signed into law, the bill will encourage local and federal

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices. UPS devices provide emergency battery backup power during power surges and outages and are routinely attached to networks for power monitoring and routine maintenance. In a warning

by Paul Ducklin Yesterday, we wrote about a bug in the VMware Spring product, a project we described as “an open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the ‘server’ part of the process yourself.” But Spring is a huge project, with

by Paul Ducklin VMware Spring is a open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the “server” part of the process yourself. If you’ve heard the term serveless computing, then this is the sort of programming environment it refers to: the overall

The United States Federal Bureau of Investigation (FBI) is currently investigating more than 100 different variants of ransomware, many of which have been used in multiple ransomware campaigns. Information on the Bureau’s efforts to tackle the malware threat was among the remarks delivered to the United States House Committee on the Judiciary in Washington on Tuesday by

by Paul Ducklin You’ve probably heard of Zlib, but even if you haven’t, you’ve almost certainly used it. Zlib’s unashamedly 1990s-style website describes the product as A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents). Data compression software (and, of course, the matching code to decompress it later)

A Russian tech company is sending to Russia data collected from iOS app users who have never used its apps, according to a security researcher.  In a report by the Financial Times, researcher Zach Edwards explains how third-party apps can use a developer tool created by the company Yandex to harvest iOS users’ data. Yandex is the largest

by Paul Ducklin Last time we reported on a Chrome zero-day flaw was back in February 2022. Back then, Google noted that the Chrome browser – and, by implication, all other browsers based on the Chromium-project code and its underlying Blink rendering engine – had been patched against a range of memory mismanagement bugs that

A Health District in the State of Washington has made its second data breach announcement of 2022.  Both data breaches at the Spokane Regional Health District (SRHD) occurred when employees fell victim to phishing attacks.  On January 24, the district confirmed that personal data may have been compromised when an unauthorized individual compromised an employee’s email account

Personal data belonging to American Major League Baseball Players and their family members have been stolen during a cyber-attack on a third-party vendor. Consulting firm Horizon Actuarial Services LLC. (Horizon Actuarial), based in Silver Spring, Maryland, was attacked with ransomware in November 2021.  In a recent data incident notice, the company revealed that data in its