Chinese-made drones may be sending sensitive flight data to their manufacturers in China, according an alert issued by the US Department of Homeland Security (DHS), CNN reported on May 20. In a copy of the alert obtained by CNN, DHS said, “The United States government has strong concerns about any technology product that takes American data

by John E Dunn Some of Europe’s biggest ISPs and mobile operators stand accused of using Deep Packet Inspection (DPI) technology to quietly undermine net neutrality rules and user privacy. News of the troubling allegation first reached the public domain earlier this year in an analysis by German organisation epicenter.works. It claimed it had detected

Complying with a request by US authorities, Ecuadorian officials are preparing to hand over documents that are reportedly the entire legal defense against Julian Assange, compiled during the time he has been living in the Ecuadorian embassy in London, according to WikiLeaks. “On Monday Ecuador will perform a puppet show at the embassy of Ecuador

by John E Dunn A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it. The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean

The city of Baltimore’s computer systems have remained down since a ransomware attack hit more than a week ago, but the city says it will not pay the ransom despite today’s final 10-day deadline, according to copy of the ransom note obtained by the Baltimore Sun. The May 7 note warned that if the ransom were

by John E Dunn Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware. According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world

A recent survey found that to gain counterintelligence the vast majority of organizations would allow an attacker to take decoy files rather than stop an attack in progress, according to the latest International Cyber Benchmark Index from the Neustar International Security Council (NISC). A reported one in five companies are currently employing forensic investigations, as

by Lisa Vaas Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities. On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored. Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows.

by Danny Bradbury Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure. Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users. Launched in July 2018, they offer a level of physical

A high-risk vulnerability in Cisco‘s secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices. The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow

by Naked Security writer It’s that time of year again. Please vote for us in the European Security Blogger Awards 2019. We’re up for an award called The Corporates – The Best CyberSecurity Vendor Blog, and if you think we’re the best, you can have your say on the voting page: (You don’t have to

After analyzing the top three breaches from the past three years, Bitglass found that in the aftermath of a data breach, a decrease in stock price was a notable repercussion identifiable for publicly traded companies. The report, Kings of the Monster Breaches, identified the extensive damage done by improper security by looking specifically at the Marriott

by Mark Stockley Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the

Lawmakers in San Francisco will vote today on legislation that would ban the use of facial recognition technology among city departments, according to NPR. If approved, the law would make San Francisco the first city to ban the technologies use, a ban that would extend to police body cameras. “Governments have used the technology for

by Mark Stockley On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone. The vulnerability is now fixed, which means that if you’re

Malicious or criminal attacks accounted for nearly twice as many data breaches as those resulting from human error during the first quarter of 2019, according to the Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC). The report, published today, marks the start of Australia’s Privacy Awareness Week. “By understanding the

by Lisa Vaas The US thinks it knows who’s behind the vast breach that siphoned off 78.8 million customer and employee records from US health insurer Anthem between 2014 and 2015. On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China,

A report published today by Advanced Intelligence revealed that three US-based antivirus software vendors have been breached, and a high-profile collective of Russian hackers is claiming responsibility. Using a credential-stuffing botnet, the known international cybercrime group has reportedly stolen more than 30 terabytes of data from the networks of three U.S.-based antivirus firms. Advanced Intelligence research

by Lisa Vaas The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)… …or, for that matter, with the state of California, with its California’s

Photo storage app Ever failed to get consent from users who uploaded millions of images to the service before it adopted the images as tools to train a commercial facial recognition system, according to NBC News. Without disclosing their use of the images to users of the app, Ever also reportedly offered to sell that facial

by Danny Bradbury Another day, another massive MongoDB exposure. This time, a security researcher has discovered a public-facing database with over 275 million records containing personal information on citizens in India. The researcher is Bob Diachenko, who spends a lot of time poring over Shodan search results. Shodan is a search engine, but unlike Google

In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH. The DHS and FBI have identified a malware variant used by the North Korean government, yet another

by John E Dunn Slowly but steadily, web developers are being given the tools with which to tame the promiscuous and often insecure world of the browser cookie. The latest big idea is an IETF standard called SameSite (aka RFC6265bis), which Google and Mozilla have promoted since 2016 and the former announced this week it

Americans in every state are overconfident in their cybersecurity coverage, with the majority of consumers expressing confidence they are taking appropriate steps to protect themselves, according to the 2019 report published by Wakefield Research and commissioned by Webroot. The Cyber Hygiene Risk Index, published on May 8, found that 88% of consumers expressed confidence in

by Paul Ducklin Over the past few months, we’ve written and spoken many times about a scam known as sextortion. Sextortion is an online crime that combines sex and extortion – the crooks say that they have embarrassing pictures of you, and they’ll send the pictures to your friends and family… …unless you pay them

After its acquisition of SecureData earlier this year, Orange has announced another agreement it has signed to acquire SecureLink, a transaction that will advance Orange’s position in the EU’s cybersecurity industry, according to a May 7 press release. The deal will afford Orange a position of leadership in Europe’s cybersecurity scene as SecureLink already has

by John E Dunn Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month? If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own

Researchers have identified a significant uptick in breaches and attacks related to the internet of things (IoT), according to a new Ponemon Institute report, The Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know. Released today by the Santa Fe Group, the study yielded 35 key findings on IoT risks

by John E Dunn It’s easy to forget that malware authors are regular human beings with hobbies and interests – not that different from their many victims, in fact. Take the contrived tendency to embed references to popular culture in malware – as the creator behind a new type of ransomware called MegaCortex has done.