by Paul Ducklin A not-yet-published paper from researchers in the UK has been making media headlines because of its dramatic claims about Apple Pay. Apple-centric publication 9to5Mac covered it with a headline that was almost a story in itself: Apparent flaw allows hackers to steal money from a locked iPhone, when a Visa card is
Security
Many iPhone users are vulnerable to payment fraud due to vulnerabilities in Apple Pay and Visa, according to new research from the University of Birmingham and the University of Surrey. The experts revealed they could bypass an iPhone’s Apple Pay lock screen to perform contactless payments when the Visa card is set up in ‘Express Transit mode’
Data breaches at two American mental healthcare providers may have exposed the personal health information (PHI) of thousands of individuals. Horizon House, Inc., which is in Philadelphia, Pennsylvania, warned that 27,823 people may have been impacted by a cyber-attack that took place in the late winter. The provider of mental health and residential treatment services detected
by Paul Ducklin You’ve probably heard of Let’s Encrypt, an organisation that makes it easy and cheap (in fact, free) to get HTTPS certificates for your web servers. HTTPS, short for secure HTTP, relies on the encryption protocol known as TLS, which is short for transport layer security. TLS encrypts and protects the data you
A new emergency fraud hotline has been set up to help tackle surging financial scams in the UK. UK citizens who believe someone is maybe trying to trick them into handing over money or personal details can now be automatically connected with their bank’s fraud prevention service by dialing 159. The service will work in
Huawei’s CFO is finally back in China after striking a plea deal with the US authorities in which she admitted playing a pivotal role in a scheme designed to defraud a global financial institution. Meng Wanzhou, the daughter of Huawei founder Ren Zhengfei, was indicted by the US in 2019 on charges associated with the firm’s alleged
Lawmakers in Florida are asking why the state has failed to spend millions of dollars it was assigned to fund the implementation of new cybersecurity measures. The Miami Herald reports that despite lawmakers’ allocating $30m for the improvements months ago, the Sunshine State is yet to spend a single cent. The office of Florida’s statewide chief information
by Paul Ducklin Thanks to James Cope and Rajeev Kapur of Sophos IT for their help with this article. Researchers at a cybersecurity startup called Guardicore just published a report about an experiment they conducted over the past four months… …in which they claim to have collected hundreds of thousands of Exchange and Windows passwords
The board of directors at Korean electronics company LG Electronics has approved the acquisition of Israel-based vehicle cybersecurity startup Cybellum. In announcing the deal on Thursday, LG said it would assume a stake of around 64% in Cybellum, which was valued at $140m. The remaining shares will be acquired soon, at which time the final valuation and total investment amount will
by Paul Ducklin [02’01”] A scarily exploitable hole in Microsoft open source code. [10’00”] A simpler take on delivery scams. [19’26”] Memory lane: cool mobile devices from the pre-iPhone era. [23’24”] A Face ID bypass hack, patched for the initial release of iOS 15. [35’21”] Oh! No! When you can’t get into the server (room).
Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content. Threat analysts at Cloudmark discovered the new low-volume campaign attacking Android mobile device users and named it TangleBot. This complex malware can directly obtain personal information, control device interaction with apps
by Paul Ducklin If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday… …had been dumped forever by Apple. Apple notoriously won’t tell you anything about the security situation in its
More than four-fifths (85%) of the UK’s top 20 universities are putting their students, staff and suppliers at risk of email fraud, according to a new study by Proofpoint. The researchers found that just 15% of the universities have implemented the recommended and strictest level of domain-based message authentication, reporting and conformance (DMARC). DMARC is an
by Paul Ducklin VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products. All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as
International information security accreditation and certification body CREST has appointed Rowland Johnson as its new President. Johnson will take over from Ian Glover, who retired as President of CREST on September 1 after nearly 13 years in the post. This will be for an initial term of one year. Johnson was previously a member of the CREST
by Paul Ducklin Apple’s iOS 15 is now out – the very latest software version for iPhones, just in time for the official launch of the new iPhone 13 later in the week. (Yes, you can buy an iPhone 13 today, but only by placing what modern sales and marketing jargon refers to as a
“Wrapped” Bitcoin worth more than $12m has been stolen from the decentralized finance protocol pNetwork. The cross-chain project announced the theft of 277 BTC on September 19 via Twitter, ascribing the hack to a codebase vulnerability. The theft was executed on Binance Smart Chain, which featured in the biggest ever DeFi heist in history – the $610m Poly
by Paul Ducklin We’ve been warning about fake courier scams on Naked Security for many years, even before the coronavirus pandemic increased our collective reliance on home deliveries. These scams can take many different forms, including: A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used
Register now for our 15th Annual Infosecurity Magazine Autumn Online Summit The event showcases an extensive education program featuring high caliber speakers and thought leaders in the cyber community as well as offer packed resource centers featuring the latest reports, research and case studies. The event showcases an extensive education program featuring high caliber speakers
A cyber-criminal who defrauded American telecommunications giant AT&T out of more than $200m through a phone-unlocking bribery scheme has been sentenced to prison. Muhammad Fahd, a 35-year-old citizen of Pakistan and Grenada, led a seven-year conspiracy in which AT&T employees were bribed to unlawfully unlock nearly two million customers’ cell phones for profit. The plot began in
More Native American tribes are going to be given enhanced access to critical databases containing national crime information for the United States. In an announcement made September 16, the Department of Justice said that 12 tribes have been newly selected to participate in the Tribal Access Program for National Crime Information (TAP), bringing the total number of
Over $133m has already been lost this year to romance scams, with victims increasingly urged to invest in fraudulent cryptocurrency opportunities, according to the FBI. A new Public Service Announcement was published yesterday revealing that the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints from January 1 to June 31 this year, resulting in soaring
by Paul Ducklin The September 2021 Patch Tuesday updates from Microsoft came out this week. The fix that everyone was waiting for with bated breath was the patch for CVE-2021-40444, a zero-day remote code execution bug in MSHTML that was announced by Microsoft just days before Patch Tuesday came around: Windows zero-day MSHTML attack –
Three big-name UK brands have been collectively fined nearly half a million pounds by the privacy regulator after sending hundreds of millions of nuisance marketing messages to consumers. We Buy Any Car was fined £200,000 by the Information Commissioner’s Office (ICO) after bombarding consumers with over 191 million emails and 3.6 million nuisance texts. Saga Services and Saga Personal
by Paul Ducklin [01’28”] Apple patches two zero-day bugs. [09’25”] Microsoft patches one zero-day bug. [15’49”] A security researcher finds a fast-food bug (non-insect sort). [23’04”] Oh! No! A touchpad user turns right into left, and vice versa. (See also: Big Office bug squashed for September 2021 Patch Tuesday.) With Paul Ducklin and Doug Aamoth.
Three former members of the United States military or United States Intelligence Community (USIC) have been fined for providing hacking-related services to a foreign government. United States citizens, 49-year-old Marc Baier and 34-year-old Ryan Adams, and 40-year-old former US citizen Daniel Gericke were investigated by the Department of Justice (DOJ) over claims that they had violated U.S.
by Paul Ducklin Articles in our Serious Security series are often fairly technical, although we nevertheless aim to keep them free from jargon. In the past, we’ve dug into into topics that include: website hacking (and how to avoid it), numeric computation (and how to get it right), and post-quantum cryptography (and why we’re getting
Global financial services firms spent more than $2m on average recovering from a ransomware attack last year, according to new data from Sophos. The UK security vendor polled 550 IT decision-makers in mid-sized financial sector firms around the globe to compile its State of Ransomware in Financial Services 2021 report. It found that a third (34%) of firms
by Paul Ducklin You know what we’re going to say, so we’ll say it right away. Patch early, patch often. Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems. They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though
Messaging giant WhatsApp is set to roll out end-to-end encrypted (E2EE) backups later this year, in what privacy campaigners claim to be another win for user privacy and security. The Facebook-owned company said it had designed an entirely new system for encryption key storage to support the new service. “With E2EE backups enabled, backups will be encrypted