US lawmakers have been warned of the growing risk to national and corporate security posed by Chinese efforts to dominate 5G infrastructure and the IoT supply chain. The US-China Economic and Security Review Commission’s 2018 report to Congress claimed that significant state support for these technologies, along with alleged cyber-espionage, IP theft and other measures, have

In his opening keynote presentation kicking off the second day of this year’s Infosecurity North America conference in New York, the technical director of cybersecurity threat operations center for the NSA, Dave Hogue, talked about how innovations in policy, technology, and people can lead to break-through results in one of the largest 24-7-365 operational environments across the

It’s months past when the EU’s General Data Privacy Regulations (GDPR) went into effect, and many are wondering, “Where are we now?” Among the many aspects of the GDPR talked about at today’s Infosecurity North America conference, Nashira Layade, SVP, CISO at Realogy Holdings Corp., and Elena Elkina, partner at Aleada Consulting, spent a bit

Security researchers are urging parents to think twice about buying GPS-enabled smart watches to keep their children safe, after revealing that scores of models are riddled with vulnerabilities. Pen Test Partners’ initial research detailed security issues with the MiSafes device first launched three years ago. The idea, like all similar devices, is that it keeps

MPs are unhappy at the government’s response to their committee report on cybersecurity skills in critical infrastructure (CNI), claiming it fails to address the immediate challenges facing the industry. The Joint Committee on the National Security Strategy published its initial report in July, claiming the skills gap in the sector was “cause for alarm” and that

A Japanese minister in charge of cybersecurity has shocked lawmakers after revealing that he doesn’t use a computer, and struggles to grasp the concept of a USB stick. Yoshitaka Sakurada, 68, is deputy chief of the government’s cybersecurity strategy office. However, responding to an independent lawmaker at a Lower House Cabinet Committee meeting this week, he’s

A new report looked at the number of companies that allow users to access corporate data on personal devices and found that most organizations enabling BYOD lack proper security controls, according to Bitglass.   With the advent of the cloud, more employees are taking advantage of being able to work from anywhere at anytime on any

The CEOs of BlackBerry and Cylance held a media conference this morning after announcing news of an acquisition.  BlackBerry announced that it has finalized an agreement in which it will acquire Cylance for $1.4 bn in cash, plus the assumption of unvested employee incentive awards. With Gartner citing security as the top barrier to successful

by Paul Ducklin A security researcher recently figured out how to stash the complete works of Shakespeare in a single tweet, which sounds like a really neat way to conceal private data right in public eye… …but the “hiding place” is pretty obvious once you know what to look for. You end up with a

by Lisa Vaas The US, China and Russia are some of the big names that are missing from the list of signees of the Paris Call for Trust and Security in Cyberspace: an initiative designed to establish international etiquette with regards to the internet, including coordinating disclosure of technical vulnerabilities. French President Emmanuel Macron announced

by Lisa Vaas There was the sound of breakers tripping in all seven of the grid’s low-voltage substation, and then, the station was plunged into darkness. It was the worst possible scenario: swaths of the country’s grid had already been offline for a month, exhausting battery backups at power plants and substations alike. What would

by Danny Bradbury The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts. Criminals sent posts from both Google’s G Suite account and Target’s official Twitter account. Cryptocurrency giveaway scams work by offering money to victims. There’s a catch, of course: They must first

by Danny Bradbury We’ve had fake videos, fake faces, and now, researchers have developed a method for AI systems to create their own fingerprints. Not only that, but the machines have worked out how to create prints that fool fingerprint readers more than one time in five. The research could present problems for fingerprint-based biometric

by Lisa Vaas MiSafes, the maker of surveillance devices meant to track kids, is back in the news. This time it’s due to the company’s smartwatches that researchers say are drop-dead simple to hack. Pen Test Partners has found that attackers can easily eavesdrop on children’s conversations; track them; screw with the geofencing so that

by Lisa Vaas Christine Sullivan was stabbed to death on 27 January 2017, in the kitchen of the New Hampshire home where she lived with her boyfriend. Her friend, Jenna Pellegrini, was also murdered that day, in an upstairs bedroom. There might have been a witness who heard Sullivan’s murder as it happened, given that

by Paul Ducklin This week: hacking phones at Pwn2Own, the brand new SophosLabs Threat Report, and squeezing Shakespeare into one tweet. Also, RIP James Lewis Pond, known to Mac users the world over as Pondini, whom we talked about in last week’s podcast but didn’t do justice to. With Anna Brading, Paul Ducklin and Mark

Without any notable opposition to the Senate’s version of the bill, the House agreed to a reorganization of the Cybersecurity and Infrastructure Security Agency (CISA) Act earlier this week, according to FCW.  Replacing the National Protection and Programs Directorate, the new agency will oversee the cybersecurity of federal computer systems and will be a government liaison

by John E Dunn How many computer users still regularly use Windows XP? It’s a trick question, of course, because the answer is that millions of people do every time they take money out of an ATM cash machine; a significant proportion of which still run some variant of the geriatric OS. It’s a finding

Despite the session’s name, “Two Points of View: Collaboration and Disclosure: Balancing Openness About Cyber Security with Managing Risk and Reputation,” panelists at today’s Infosecurity North America conference were actually in agreement about sharing threat intelligence.  Moderated by Joseph Gittens, director, standards, Security Industry Association, the panelists explored the different channels by which information can and

by Paul Ducklin Twice a year, an international contest called Pwn2Own – the Olympic Games of competitive hacking, if you like – gives the world’s top bug-hunters a chance to show off their skills. The word pwn, if you aren’t familiar with it already, is hacker jargon for “own”, as in “owning” someone’s computer –

Finding and keeping talent in the cybersecurity industry is a challenge for organizations of all sizes around the globe. As a result, the talent market is highly competitive, which is why a panel of experts came together at this year’s Infosecurity North America conference in New York to talk about building an effective cybersecurity team

by John E Dunn Cybercriminals have returned to old-school manual hacking tactics to boost the efficiency of targeted extortion, according to research conducted for the SophosLabs 2019 Threat Report. Ransomware attacks are nothing new, but well known examples like CryptoLocker or WannaCry have tended to be opportunistic and indiscriminate. To penetrate their targets they rely on

Nordstrom is the latest victim in a long line of data breaches suffered across the retail sector, according to The Seattle Times. The Seattle-based retailer suffered a data breach in which a wide range of personal information was exposed. In addition to disclosing employee names, their Social Security numbers and dates of birth, checking account and

by Paul Ducklin Conspiracy theorists can stand down from puce alert! A network outage that affected US providers including Google and Cloudflare on Monday, intermittently diverting traffic via China… …has been chalked up to a blunder. Here’s why. Internet traffic depends heavily on a system called BGP, short for Border Gateway Protocol, which ISPs use

WannaCry ransomware is still the most widespread cryptor family and has hit almost 75,000 users as of Q3 2018, according to new research from Kaspersky Lab. The firm discovered that since the WannaCry outbreak in May 2017 that cost the NHS £92m, the ransomware has affected 74,621 users across the globe and is still active

by Paul Ducklin Here at Naked Security, we’ve written about steganography before. Steganography is a fascinating trick for sending secret messages – and it’s intriguingly different from cryptography, even though the two techniques are often lumped together as if they were the same. Simply put, cryptography scrambles messages so that only the intended recipient can

To more accurately assess the threats of cyber vulnerabilities, the National Institute of Standards and Technology (NIST) has partnered with IBM to use Watson’s artificial intelligence (AI) with scoring bugs. The Common Vulnerabilities and Exposures (CVE) system assigns publicly known security vulnerabilities a score based on the severity of the flaw. The Common Vulnerability Scoring System

by John E Dunn Researchers have published details of a dangerous flaw in the way the hugely popular WooCommerce plugin interacts with WordPress that could allow an attacker with access to a single account to take over an entire site. WooCommerce’s four million plus users were first alerted to the issue a few weeks back

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Department of Homeland Security (DHS), has issued a US-CERT alert for the JBoss Verify and EXploitation (JexBoss) tool, an open-source tool often used by red teams. According to the alert, malicious actors are using JexBoss to test and exploit vulnerabilities not only in the

by Lisa Vaas Back in April, Facebook automagically retracted CEO Mark Zuckerberg’s messages from recipients’ inboxes. It was good enough for Zuck and other Facebook execs, but alas, beyond the reach of us mere mortal users. But relax, Facebook said at the time: we’re going to bring “Unsend” to one and all in a matter