On Friday, as presidential candidate Beto O’Rourke made his way through Iowa, Reuters published what has been called a “bombshell” revelation that O’Rourke was once a member of a hactivist group known as the Cult of the Dead Cow (cDc). While conducting research for his new book, Joseph Menn stumbled across evidence that suggested O’Rourke may

by Lisa Vaas Update 18 March 2019 FamilyTreeDNA emailed users last week to let them know that they can now opt out of DNA matching that will be used to help police identify the remains of deceased people or to help them track down violent criminals. It’s now calling that type of investigative DNA research

The data breach at Wolverine Solutions Group (WSG) continues to plague the healthcare industry, with more organizations, including Spectrum Healthcare, sending security notices to customers. As was the case for many organizations who have already issued security notices, Spectrum said it has no reason to believe its systems or customer information may have been compromised.

by Paul Ducklin This week, the Naked Security Podcast tries to figure out where Mark Zuckerberg’s new “Facebook Privacy Promise” is going, and digs into both the technical and community aspects of a recent Chrome zero-day exploit. With Anna Brading, Mark Stockley and Matthew Boddy. (This week, Duck was away in London giving a dramatic

Amid widespread speculation that a cyber-attack caused the outage of Facebook‘s services earlier this week, the social media platform contends that the issue was the result of a server configuration change. Despite the array of questions about when it made the change to the server and when it realized that the configuration error had triggered the

by Lisa Vaas Back in 2012, Sophos picked up a stash of USB keys from a lost property auction as an experiment. It turned out that they were a scary bunch of sticks: 66% of them contained malware, and not a single one was encrypted. Well, the more things change, the more things USB drive-related

Researchers at vpnMentor have discovered a security vulnerability in Gearbest, a Chinese e-commerce business that reportedly processes hundreds of thousands of sales a day. According to a blog post from vpnMentor’s research team, hackers were able to access different parts of Gearbest’s database, during which time they discovered more than 1.5 million records, ranging from

by Paul Ducklin Sextortion is where crooks email you out of the blue, say they have sex-related pictures or webcam footage of you, and demand you to pay them thousands of dollars, OR ELSE. Even people who never watch porn and don’t have a webcam find this sort of scam confronting and scary… …so we

Malicious actors who breached a Pakistani government site and delivered the ScanBox Framework payload have been tracking users who visit the site to check the status of their passport applications, according to research from Trustwave. Since attackers compromised the site, visitors to the subdomain (tracking.dgip.gov[.]pk) of the Pakistani government website’s Directorate General of Immigration & Passport load

by Paul Ducklin It’s Pi Day – or World Pi Day, if you prefer, or even Universe Pi Day, given that Pi is a universal constant. As you may remember from school mathematics, Pi is the cool and amazing ratio you get when you divide the distance around a circle by the distance across it

After months of investigating what was believed to be the largest online drug trafficking ring in the past decade, Israeli police, in conjunction with officers of the Security Service of Ukraine (SBU), have arrested 42 suspects, including the alleged leader. According to SBU, “On March 12, Ukrainian law enforcers basing on the motion about international

by Paul Ducklin Sextortion is back! In fact, it never went away. Some of us get dozens of sextortion scam emails every month to our work and personal accounts, demanding us to PAY MONEY OR ELSE!! In the crime of sextortion, the “OR ELSE” part is a threat to release a video of a sexual

A prolific malware, dubbed Ursnif, has resurfaced with new features, including the ability to bypass a popular Japanese antivirus software called PhishWall, according to Cybereason. Described as one of the most prolific information-stealing malware programs, Ursnif has been around since at least 2013. For nearly three months, researchers have been observing a campaign that has

by Lisa Vaas Facebook on Friday sued two Ukrainian men, Andrey Gorbachov and Gleb Sluchevsky, for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes. The company also alleges that the deceptive extensions injected unauthorized ads into Facebook users’ News Feeds when their victims visited through the compromised browsers. From Facebook’s

In the proposed 2020 federal budget, released by the White House today, President Donald Trump has requested nearly $11bn be allocated to improving cybersecurity. “For cyber, the budget continues to integrate efforts and operationalize US cyber strategy, while scaling artificial intelligence throughout the department,” the document stated. Throughout the 150-page document, cybersecurity appeared several times, falling into

by Danny Bradbury The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems. The controversy surrounds the Advanced Targeting and Lethality Automated System (ATLAS). Created by the Department of Defense, it is a program to develop: Autonomous target acquisition technology, that will

A September 2018 ransomware attack on Wolverine Solutions Group (WSG) has had widespread impact, resulting in hundreds of thousands of customers being warned that their personal information may have been part of a data breach, according to Detroit Free Press. In a statement to its clients, Wolverine Solutions Group wrote, “On approximately September 25, 2018, WSG

by Danny Bradbury Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser. The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users

Researchers at Pen Test Partners revealed in a proof of concept (PoC) that they were able to exploit vulnerabilities in two high-end “smart” alarms. In their PoC, the pen testers debunked third-party car alarm vendors’ claim to be the solution to key relay attacks on keyless-entry cars. “We have shown that fitting these alarms can make

by Paul Ducklin We’ve written many times about ';--have i been pwned? (HIBP), a website run by security researcher Troy Hunt where you can check how many times your email address has shown up in data breaches. Amazingly, the number of breached accounts that Troy has processed into his database over the years is just

Russia has proposed legislation that would ban the spread of fake news, as well as the use of the internet to disrespect government officials and state symbols. The law appears to be similar to one enforced in Nigeria, where a journalist has been charged with cybercrimes for speaking out against the government, according to the

by Paul Ducklin Today is International Women’s Day 2019. In the leadup, a bunch of people – friends, family, colleagues and you, our readers – asked us whom we’d count amongst our female technoheroes, so we thought we’d tell you. We know what you’re thinking, which is probably along the lines of, “They’re bound to mention Rear

Speaking at RSA Conference 2019, Black Hills Information Security owner John Strand discussed threat hunting and how this can be done on a small budget. He admitted that identifying command and control (C&C) traffic is “very difficult” as we have got to the stage where malware can be stealthy and uses C&C to hide, and

by Lisa Vaas A 13-year-old Japanese schoolgirl was brought in, questioned, and charged with posting the code for an unclosable browser popup on an internet billboard, the Japanese news agency NHK reported on Monday. According to ZDNet, you could close the popup in some desktop browsers, including Edge and Firefox, but you couldn’t close it

Speaking at RSA Conference 2019 on ‘Defining a cyber-risk appetite that works,’ Jack Jones, chairman of the FAIR Institute, discussed the need to create a risk appetite, and how to identify what you need a risk appetite for. He said that having a risk appetite “depends on your situation” and this is not a static

by Paul Ducklin Chrome users, make sure you’ve got the very latest version. Or, as Justin Schuh, one of Chrome’s well-known security researchers, put it: [L]ike, seriously, update your Chrome installs… like right this minute. We’re not big Chrome fans – we’ve always thought that Firefox is better in both form and function, to be

Speaking on ‘The Art of the Nudge, Cheap Ways to Steer User Behavior’ at RSA Conference 2019, Branden Williams, director of cybersecurity at MUFG Union Bank, highlighted the psychological ways that user actions can be influenced.  Using real world examples, such as calorie counts on a menu to help you make a healthier choice, or towels and bed

by Paul Ducklin The Naked Security podcast explains why storing plaintext passwords is an unnecessary evil, investigates a cryptocurrency spat between a software maker and a disgruntled user, and tells you some earnest but sometimes unpopular truths about how to keep your children safe online. With Anna Brading, Paul Ducklin, Mark Stockley and Matt Boddy.

Speaking at the CSA Summit, Cloud Security Alliance founder member and ACLU technology fellow Jon Callas tackled the question on whether the future of privacy is “Futile or Pretty Good?” He claimed that it is “really easy to be nihilistic about security” and all too easy to follow the news, but he believed that we

by Lisa Vaas Video streaming app TikTok has agreed to pay a $5.7 million fine for allegedly collecting names, email addresses, pictures and locations of children younger than 13 – all illegal under the US’s Children’s Online Privacy Protection Act (COPPA). This is the largest settlement ever handed down for violating the nation’s child privacy