Security

by Paul Ducklin You’ve probably seen the news, even if you’re not sure what happened. Unless you’re a JavaScript programmer and you relied on either or both of a pair of modules called faker.js and colors.js. If you were a user of either of those projects, and if you are (or were!) inclined to accept

American technology company DigiCert has announced the acquisition of Mocana, a cybersecurity firm based in California. Mocana was founded in 2002 and is headquartered in Sunnyvale. The company’s focus is on embedded system security for industrial control systems and the internet of things (IoT). DigiCert said the acquisition would allow it to offer an end-to-end IoT platform and provide customers

by Naked Security writer According to the FSB, Russia’s Federal Security Bureau (ФСБ), the ransomware gang known in both Russian and English by the nickname “REvil” has been taken down: ФСБ России установлен полный состав преступного сообщества «REvil» The Russian FSB has identified the entire criminal enterprise known as “REvil” In our zest to tell

Russia says it has ended the criminal activities of the REvil ransomware gang and placed its members under arrest.  In an action coordinated by the Federal Security Service of the Russian Federation (FSB) in cooperation with the Investigation Department of the Ministry of Internal Affairs of Russia in the cities of Moscow, St. Petersburg, and Lipetsk, searches

by Paul Ducklin Lots of people “run Linux” without really knowing or caring – many home routers, navigational aids, webcams and other IoT devices are based on it; the majority of the world’s mobile phones run a Linux-derived variant called Android; and many, if not most, of the ready-to-go cloud services out there rely on

The assistant principal of a high school in Florida has been charged with aggravated cyber-stalking. Duval County School Board Police arrested 42-year-old Kenyannya Wilcox on Friday over an alleged incident involving her former romantic partner. The defendant’s arrest report alleges that Wilcox was involved in a scheme that aimed to cause “adverse economic impact” to

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A cyber-attack on the Medical Review Institute of America (MRIoA) may have exposed the personal data of 134,571 individuals. MRIoA, which is based in Salt Lake City, Utah, said it was “the victim of a sophisticated cyber incident” discovered on November 9, 2021, that resulted in a threat actor’s gaining unauthorized access to its network and exfiltrating

by Paul Ducklin Yesterday was the first Patch Tuesday of 2022, with more than 100 security bugs fixed. We wrote up an overview of the updates, as we do every month, over on our sister site news.sophos.com: First Patch Tuesday of 2022 repairs 102 bugs. For better or for worse, one update has caught the

Cyber-physical systems (CPS) security company Claroty has announced the acquisition of healthcare IoT security business Medigate.  In a statement released January 10, Claroty said the deal would allow it to secure the Extended Internet of Things (XIoT) “by delivering unmatched visibility, protection, and threat detection for all connected organizations via one comprehensive solution.” Medigate, which is headquartered in New York’s

by Paul Ducklin Now that a patch has been circulated to vendors, researchers at Sentinel One have released details of a worrying bug in an IoT software driver called NetUSB. The product comes from a Taiwanese hardware and software maker called Kcodes, which describes itself as follows: [A] leading supplier and developer of USB over

A police forensics expert has been sent to prison in the UK for downloading thousands of grim images from police computer systems onto his own computer. Darren Collins, 56, of Little Haywood near Stafford, admitted illegally accessing photographs of crime scenes and post-mortem examinations performed on murder victims.  The Crown Prosecution Service (CPS) said Collins “used his digital

A man who worked at the Monsanto Company has admitted stealing a trade secret from his former employer and attempting to sell it to the People’s Republic of China. Xiang Haitao was employed by the American agrochemical and agricultural biotechnology corporation and its subsidiary, The Climate Corporation, as an imaging scientist from 2008 to 2017. The 44-year-old

Cerberus Cyber Sentinel Corporation today announced its acquisition of an American cybersecurity operations and compliance company. The Arizona-based cybersecurity consulting and managed services firm said the decision to acquire True Digital Security was part of a strategy to bring together global security talent as partners. True Digital Security was founded in 1985 and currently has offices in West

by Paul Ducklin Owners of Honda cars of a certain age – apparently somewhere between 10 and 16 years old – have spent the first few days of the New Year reporting a weird “millennium bug style” problem. Apparently, for many cars that are a decade or so old, New Year’s Day 2022 was ushered

A cyber-attack has forced the government of New Mexico’s most populous county to close most of its county buildings to the public. Bernalillo County had to take some of its IT systems offline on Wednesday after becoming the target of a digital assault that county officials suspect was a ransomware attack.  In a statement released Wednesday, the

by Paul Ducklin “It’s Log4Shell, Jim,” as Commander Spock never actually said, “But not as we know it.” That’s the briefest summary we can come up with of the bug CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog. This time, the bug isn’t in Apache’s beleagured Log4j toolkit,

A mix-up at a school in Worcestershire, England, caused parents to receive the Covid-19 test results of other people’s children. The data breach, reported today by the Evesham Journal, occurred at co-educational secondary school and sixth-form college The De Montfort School (TDMS) in Evesham, which is part of the Four Stones Multi Academy Trust. Students returning

by Paul Ducklin LISTEN NOW Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

A cyber-attack on American hospitality chain McMenamins may have exposed data belonging to its current and former employees.  The business, which owns and operates brewpubs, breweries, music venues, historic hotels, and theater pubs in Oregon and Washington, issued a data breach notice after suffering a ransomware attack. Suspicious activity was identified in the company’s computer network on

by Paul Ducklin The Federal Trade Commission (FTC) is the US consumer rights body, and it has sailed into 2022 with a bang, not a whimper. Using the infamous Log4Shell vulnerability as what you might call its Exhibit A, the FTC has fired a shot across the bows of companies in US jurisdictions, telling them

Police in India have launched an investigation into an app featuring images of Muslim women described as being “for sale as maids.” Open-source online auction application Bulli Bai was hosted by GitHub but has now been removed from the online platform. Indian minister for information and technology Ashwini Vaishnawm said on Saturday that GitHub also

by Paul Ducklin A security research called Trevor Spiniolas has just published information about a bug he claims has existed in Apple’s iOS operating system since at least version 14.7. The bug affects the Home app, Apple’s home automation software that lets you control home devices – webcams, doorbells, thermostats, light bulbs, and so on –

Consumers have been warned to stay vigilant of delivery scam texts while online shopping for Christmas and during the Boxing Day sales. UK Finance cited new data from cybersecurity firm Proofpoint showing that delivery ‘smishing’ scams are surging amid the busiest shopping period of the year. This showed that over half (55.94%) of all reported smishing text

A Texas resident has been convicted of stealing hundreds of thousands of dollars from a school district in Idaho through a business email compromise (BEC) scam. Teton School District 401, which serves 1,800 students in seven schools in Teton County, fell victim to the cybercrime three years ago.  In 2018, the district’s business manager, Carl Church,

A man from Virginia has admitted cyber-stalking a United States Army recruiter for two years.  Braxton Louis Danley, a 26-year-old resident of Luray, began harassing the female victim after failing to pass the army’s entrance exam. Prosecutors said Danley’s first contact with the victim occurred in February 2018 when he sent her an email asking for information

by Paul Ducklin If you create any sort of online content at all – even if you’re just a once-in-a-while blogger or an occasional social media user – you almost certainly know how easy it is for other people to rip off your material and present it as their own. We’re not talking about links,

Unique cyber-attacks declined for the first time in nearly three years in Q3 2021, according to new data from Positive Technologies. The researchers observed a 4.8% decline in unique attacks in Q3 compared to the previous quarter, the first time they have recorded a reduction since the end of 2018. They said that this trend was primarily by

by Paul Ducklin Are you a sysadmin who managed to get your Log4Shell mitigations done in time for the US Government’s cybersecurity deadline of 24 December 2021? If so, you may have enjoyed a Christmas mini-vacation along with much of the rest of the world… …only to return to the fray this week and find

A federal grand jury has charged Uber’s former chief security officer (CSO) with three counts of wire fraud for reportedly failing to inform several hundred thousand Uber drivers that their driver’s licenses had been exposed during a 2016 breach. The superseding charges made to Joe Sullivan, 52, who served as Uber’s CSO from April 2015 through November