Security

A man from Florida will not be serving time in prison for his role in a multi-million dollar Medicare fraud scheme involving the sale of patients’ personal and medical data. Boca Raton resident, Nathan LaParl, aged 35, and his 30-year-old accomplice Talia Alexandre, of Palm Springs, worked with foreign call centers to contact Medicare patients

by Paul Ducklin If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3. Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php_filter_float(). A proof-of-concept exploit based on using PHP to query a database shows that the

The infamous Trickbot Trojan has targeted customers of scores of big-name brands over the past year, including Amazon, PayPal and Microsoft, according to new data from Check Point. The security vendor claimed that the malware had infected at least 140,000 victims since November 2020, with attackers being careful to target high-profile victims. Among the 60 brands

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

The UK’s cybersecurity industry generated record levels of external investment and revenue in the last financial year, according to official figures. The DCMS Annual Cyber Sector Report 2022 revealed more than £1bn was raised in external investment over 84 deals during this period. This includes Bristol-based Immersive Labs, which secured £53.5m, and London-headquartered Tessian, which raised more

by Paul Ducklin VMWare’s latest security bulletin doesn’t mince its words about how quickly you should patch: When do I need to act? Immediately. The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments. [… G]iven the severity, we strongly recommend that you act. The issues referred to

A range of pressing cybersecurity issues was discussed by members of the RSA Conference advisory board during a virtual session this week. The panelists began by highlighting the elevated profile of cybersecurity during the COVID-19 pandemic, which is increasingly coming to the attention of business leaders. Caroline Wong, chief strategy officer at Cobalt, noted that “when I began my career, I

by Paul Ducklin In the past few days, both Apple and Adobe have published software updates to close off zero-day security holes that were already being exploited by attackers. Remember that a zero-day exploit is a security bypass, typically one that allows Bad Guys to break in and run or implant software of their own

Reported scams surged by 17% in the final quarter of 2021 in the UK, while attempted scams increased by 70% over the same period, according to new data from Barclays. The findings, based on responses from over 2000 UK residents, came as the bank issued new guidance for the public on how to detect the common

by Paul Ducklin Using the Adobe Commerce online selling platform? Using Magento, the free, open-source variant of the same product? Buying products from online stores that use either of these? Using online services that themselves use services that (…repeat up the supply chain as needed…) ultimately depend upon Magento or Adobe’s paid version? If so,

A local authority in the UK hit by suspected Russian actors has set aside £380,000 ($514,000) to remediate and recover from the incident, according to reports. Gloucester City Council discovered the breach back in December and warned at the time that it could take up to six months to fix as servers would need rebuilding.

Security researchers at Website Planet have discovered an unsecured Amazon S3 bucket containing the Personal Identifiable Information (PII) of millions of people. Inside the bucket were ten folders, containing around 6,000 files and totaling over 1GB of data. While most (approximately 99%) of the data belongs to American residents, some information relates to people living in Canada. 

A leader of the hacking group Team-Xecuter has been sentenced to prison for participating in a piracy conspiracy against multiple gaming companies.  Canadian national Gary Bowser, who is also known as GaryOPA, was arrested in the Dominican Republic in September 2020 on suspicion of creating and selling illegal software and devices that enabled users to play pirated

by Paul Ducklin Here on Naked Security, we’ve been lamenting the mysterious nature of Apple’s security updates for ages. For example, even when widely-known security problems appear in components that are part of Apple’s operating system, Apple routinely refuses to say when, or even if, it plans to address the issues itself. Back in February

Nearly half of emails destined for inboxes in 2021 were classed as spam, with Russia the biggest culprit, according to Kaspersky. In its new Spam and Phishing in 2021 report, the Russian AV company revealed that it detected spam rates at an average of 46% over the year, peaking at 48% in June. Most of it came from

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

The evolution of cyber-threats and the confluence of new systems and legacy systems are the most significant current challenges for security teams, according to a panel of CISOs speaking during a virtual event organized by HP Wolf Security. Moderated by Ed Amoroso, chief executive officer of TAG Cyber LLC, the session began with a simple question to

by Naked Security writer The story as we know it now sounds simple, but the investigation wasn’t. It all started, according to court papers, with a security breach reported in August 2016 by the Bitcoin exchange Bitfinex. (The court application for an arrest warrant refers to the company only as “VCE”, short for Virtual Currency

The UK’s Foreign Office was the target of “a serious cybersecurity incident,” according to a document accidentally published on a government website. The BBC reported that the tender document revealed that unidentified hackers infiltrated Foreign, Commonwealth and Development Office (FCDO) systems, but were detected. It added that cybersecurity company BAE Systems Applied Intelligence was called

by Paul Ducklin Yesterday, we wrote that Microsoft had decided to turn off a handy software deployment feature, even though the company described itself as “thrilled” by the feature, and described its functionality as “popular”. #ICYMI, that was about the use of so-called App Bundles to make software available for download via your browser. By

Pornographic websites will be legally obliged to introduce robust checks to verify the age of users under new plans published by the UK government. The measure is designed to protect children from accessing pornography from commercial providers. Announced on Safer Internet Day, the standalone provision has been added to the UK’s Online Safety Bill. The obligation

by Paul Ducklin Late last year (November 2021), we reported on an unusual campaign of scammy emails warning recipients that they were in big trouble at work. If you saw one of these, you’ll probably remember it: a customer had made a formal complaint and the company was scrambling to hold a meeting to investigate

The UK government has unveiled plans to strengthen its Online Safety Bill, which includes the creation of new criminal offenses. The legislation, first drafted in May 2021, will place new obligations on social media sites and other services hosting user-generated content or allowing people to talk to others online to remove and limit the spread of illegal

Lithuanian-based cybersecurity companies and rival virtual private network (VPN) providers Nord Security and Surfshark have finalized a merger agreement. The companies said that the merger would “open new technical knowledge-sharing opportunities and enable more focused market diversification.” Both companies will continue to operate autonomously and maintain separate infrastructure and product roadmaps. Since both companies are privately owned entities, the transaction

Security researchers at Apiiro have discovered a significant software supply chain zero-day vulnerability in the popular open-source continuous delivery platform, Argo CD. Used by thousands of organizations globally, Argo CD is a tool that reads environment configurations (written as a helm chart, kustomize files, jsonnet or plain YAML files) from git repositories and applies it Kubernetes namespaces. The

by Paul Ducklin To misquote (and, indeed, to mispunctuate) Charles Dickens: it was the best of blockhains; it was the worst of blockchains. This week, cryptocurrency company Wormhole lived up to its name by exposing an exploitable vulnerability that apparently allowed cybercriminals to run off with an eye-watering 120,000 Ether tokens. Assuming a conversion rate

Cyber-criminals are making and laundering millions through non-fungible tokens (NFTs), according to new data from Chainalysis. NFTs are technically unique records on a blockchain that are each linked to a piece of digital content. They can be minted and sold by the content creator to investors, fans and collectors. Their popularity soared last year, according to

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

Phishing kits designed to circumvent multi-factor authentication (MFA) by stealing session cookies are increasingly popular on the cybercrime underground, security researchers at Proofpoint have warned. After years of prompting by security teams and third-party experts, MFA finally appears to have reached a tipping point of user adoption. Figures from Duo Security cited by Proofpoint in a new blog today

by Paul Ducklin If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution. That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such