The US Department of Justice has reportedly launched a new ransomware task force, after an infamous threat group claimed to have stolen Apple trade secrets via a supplier. The REvil (Sodinokibi) group is reported to have posted a blog to its dark web-hosted naming and shaming site in which it claims to have compromised the

by Paul Ducklin Lots of things that we rely on, and that are generally regarded as bringing value, convenience and benefit to our lives… …can be used for harm as well as good. Even the proverbial double-edged sword, which theoretically gave ancient warriors twice as much fighting power by having twice as much attack surface,

The UK government is pushing forward with legislation that imposes new security obligations on the manufacturers of Internet of Things (IoT) devices, the Department of Digital, Media and Sport (DCMS) has announced today. The announcement has come amid growing use of IoT devices, with the UK government highlighting figures from the end of last year

by Paul Ducklin Over the past two months or so, Mozilla’s Firefox browser has had a lot less media attention than Google’s Chrome and Chromium projects… …but Mozilla probably isn’t complaining this time, given that the last three mainstream releases of Chrome have included security patches for zero-day security holes. A zero-day is where the

UK consumers are keen to embrace the use of QR codes as the country exits COVID-19 lockdown, but security experts have warned that low awareness levels could be exploited by cyber-criminals. Security vendor Ivanti recently polled over 500 British consumers to better understand their attitudes to QR codes. The technology is increasingly being used in

by Paul Ducklin We investigate the controversy that was stirred up recently when the FBI in the US used malware to fight malware. The Feds accessed remote access webshells left behind after the recent Hafnium attacks to remove the webshells themselves, after a court order said they could. As helpful and as community-minded as this

Google is shouting about a new standard designed to enhance baseline security across mobile applications. The Mobile Application Profile is the work of the Internet of Secure Things Alliance (ioXt), a consortium of over 300 members including Google, Facebook, T-Mobile, Zigbee Alliance, Schneider Electric and many others. “With so many companies involved, ioXt covers a

by Paul Ducklin Remember Rowhammer? Well, it’s back, and this time it’s called SMASH. Rowhammering is a reliability problem that besets many computer memory chips, notably including the sort of RAM in your laptop or mobile phone. Simply put, rowhammering means that if you read the same memory adddresses over and over and over again,

America has issued a cybersecurity advisory that urges organizations to patch vulnerabilities it says are being exploited by Russian Foreign Intelligence Service (SVR) actors. The warning was jointly issued on April 15 by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), as the US

The United States has indicted two Pakistani men on suspicion of operating an illegal online store that sold false identification documents on the dark web.  Karachi residents 34-year-old Mohsin Raza and 33-year-old Mujtaba Raza were charged in a six-count federal indictment unsealed in the District of New Jersey on April 15.  Each man is charged with conspiracy to

by Paul Ducklin Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath. With Paul Ducklin and Chester Wisniewski Intro and outro music by Edith Mudge. LISTEN NOW Click-and-drag on the soundwaves

Nearly half (44%) of UK remote workers have had monitoring software installed by their employer, but the trend is pushing many into more insecure practices, Kaspersky has warned. Around a year after the pandemic forced a majority of UK employees to work-from-home, the Russian AV vendor polled 2000 full-time staff to understand levels of trust

by Paul Ducklin We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

The UK’s quest for unhindered data flows to and from the EU took another important step forward yesterday after the European Data Protection Board (EDPB) approved the Commission’s draft adequacy decisions. Adequacy decisions are the process by which the European Union decides whether countries outside the bloc offer an adequate level of protection for the

by Paul Ducklin Remember HAFNIUM? Of course you do – it was the name behind a foursome of Exchange bugs that got patched in an emergency update early in March 2021. Even though there was just a week to go until March 2021’s Patch Tuesday, Microsoft decided to issue what have become known as the

Thycotic and Centrify have completed their previously-announced merger, and are now operating under the temporary name of ThycoticCentrify, it has been announced. The two cybersecurity firms have joined together to form a single cloud identity security vendor, pooling their respective expertise and tools in the area of privileged access management (PAM). The announcement comes amid

by Paul Ducklin Here’s another BWAIN, which is our shorthand for Bug With An Impressive Name. That’s the abbreviation we use for bugs that end up with names, logos and even dedicated websites that are catchy, cool, fancy, important or dramatic, and sometimes even all of these at the same time. Classic examples of the

Cyber-attacks against global financial institutions are increasingly characterized by attempts to counter incident response, with destructive efforts surging 118% over the past year, according to VMware. The tech giant’s Modern Bank Heists 4.0 report was compiled from interviews with over 120 CISOs and security leaders from some of the world’s biggest banks. It revealed that

by Paul Ducklin An iPhone and Android app called NHS COVID-19 is the official iPhone and Android coronavirus contact tracing software for the vast majority of the population of Great Britain. (England and Wales have standardised on NHS COVID-19, but Scotland has gone down a different path with an app of its own.) Today also

The British public are still woefully underinformed and unaware of the security benefits of multi-factor authentication (MFA), a new study from the FIDO Alliance has revealed. The industry association, founded in 2012 to promote authentication standards and reduce global reliance on passwords, recently polled over 4000 consumers in the UK, France, Germany and the US.

by Paul Ducklin Sometimes, cybercrooks claim to speak from a higher authority than just a missed home delivery… …sometimes they masquerade as an official government body, complete with all the right logos, the right terminology and even a realistic-looking website carefully cloned from the real deal. Learn more about “government” scams and how to avoid

The United States has imprisoned the cyberstalker of a woman who, as a child, survived a violent assault that claimed the life of her friend.  According to court records, the victim was in a Texas bedroom with another girl in December 1999 when an assailant entered and slit both the little girls’ throats. The perpetrator

by Paul Ducklin How scammers copied a government website almost to perfection. What to do about those fake “bug” hunters who ask for payment for finding “vulnerabilities” that aren’t. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough. With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Social media giant Facebook has removed thousands of groups from its platforms over the trading of fake and misleading reviews. The cull occurred after two separate interventions by Britain’s competition watchdog, the Competition and Markets Authority (CMA). In January 2020, Facebook committed to improving its identification, investigation, and removal of groups and other pages where

by Paul Ducklin In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of “hiring a hitman on the dark web”. According to Europol: The hitman, hired through an internet assassination website hosted on the Tor network, was paid about €10,000 worth in Bitcoins to kill

Surging levels of fraud and financial crime during the pandemic threaten to overwhelm banking teams working from home with disjointed internal systems, according to new research from FICO. The predictive analytics company commissioned Omdia to poll 110 senior executives supporting financial crime-fighting efforts in banks across the US, UK, Brazil, Germany, the Nordics and Canada. In

by Paul Ducklin The annual Pwn2Own contest features live hacking where top cybersecurity researchers duke it out under time pressure for huge cash prizes. Their quest: to prove that the exploits they claim to have discovered really do work under real-life conditions. Indeed, Pwn2Own is a bug bounty program with a twist. The end result

The legal industry’s first comprehensive data security evaluation and accreditation program has been launched today. The Data Steward Program (DSP), which has been developed by the Association of Corporate Counsel (ACC), will enable quick assessments and comparisons of law firms’ data security standards by prospective clients. The ACC said the program has been introduced in

Security researchers have discovered new malware disguised as a Netflix application, designed to spread worm-like via victims’ WhatsApp messages. Check Point discovered the wormable malware in an application on the Google Play Store called ‘FlixOnline’. It was designed to attract Android users by promising unlimited entertainment from anywhere in the world, using the Netflix logo to

by Paul Ducklin The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach. Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly