by Danny Bradbury Google is manually reviewing Android apps that request access to a smartphone’s phone or texting features. The move fulfils a promise to restrict how apps can access these functions on Android phones. In the announcement last October, the company explained that it would restrict which apps could ask for access to SMS

The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura. The Fallout exploit kit (EK) took a little respite over the first few

by John E Dunn The Have I Been Pwned? (HIBP) website has revealed another huge cache of breached email addresses and passwords discovered last week circulating among criminals. Named “Collection #1”, its statistics are as impressive as they are worrying: 87GB of data, 12,000 files, and 1.16 billion unique combinations of email addresses and passwords.

An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild. While these tactics and techniques have

by Danny Bradbury In a case that could be straight out of a legal TV drama, a computing font has cost a couple two houses in a Canadian bankruptcy case. The Superior Court of Ontario ruled against Gerald and Kathryn McGoey earlier this month in a dispute over two property trusts. The couple married in

A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet’s FortiGuard Labs, the document contains auto-executable malicious VBA code. Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore

by Danny Bradbury Senior Amazon technical expert Abby Fuller had a bit of a shock when she logged into WhatsApp using a new telephone number earlier this month. She found someone else’s messages waiting for her. logged into whatsapp with a new phone number today and the message history from the previous number’s owner was

Despite the burgeoning IoT market, organizations made limited progress on IoT security in 2018, according to a new report from Gemalto. Though there is evidence of incremental improvements, security measures are being outpaced by the rapid growth of IoT, which is on track to hit 20 billion devices by 2023. The survey queried 950 IT

by John E Dunn Microsoft has vexed its users with another misbehaving update. The latest problem occurred on 8 January when enterprise users running Windows 7 or Windows Server 2008 R2 with a Key Management Service (KMS) started complaining on Microsoft’s TechNet forums and Reddit that they were seeing two errors, the first relating to licensing,

Three different vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which could have allowed an attacker to halt the charging process, have been patched, according to Positive Technologies. Researchers discovered the vulnerabilities, CVE-2018-7800, CVE-2018-7801 and CVE-2018-7802, in charging stations used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. The

by Danny Bradbury The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have

A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions. In explaining the

by John E Dunn With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were. The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes

For the second time in less than two months, the New York Times has reported that a progressive group of Democrats allegedly leveraged social media sites in a secret project intended to spread false information and sway the 2017 Senate race in Alabama. According to the New York Times, “The ‘Dry Alabama’ campaign, not previously

by Paul Ducklin In this episode, the Naked Security Podcast investigates the ethics of remote rickrolling, whether Acrobat is the new Flash, and how to fool biometrics with a zombie hand. With Anna Brading. Paul Ducklin, Mark Stockley and Matthew Boddy. This week’s links: Don’t fall victim to the Chromecast hackers Update now! Adobe Acrobat

The healthcare sector continues to be the target of cyberattacks, with Managed Health Services (MHS) of Indiana Health Plan announcing recently that a third-party data breach potentially exposed up to 31,000 patients’ personal data in one of two security incidents the company has disclosed in the past month. The organization reportedly manages Indiana’s Hoosier Healthwise

by Danny Bradbury Old Twitter posts could reveal more about you than you think, according to a research paper released this month. Tweets could reveal places you visited and things you did, even if you didn’t explicitly mention them. Researchers from the Foundation for Research and Technology in Greece and the University of Illinois found

Using a new penetration testing tool to automate phishing attacks, hackers can potentially bypass two-factor authentication (2FA), according to a new post published by security researcher Piotr Duszynski. The tool was written to intentionally make phishing campaigns as easy and effective as possible, said Duszynski. Dubbed Modlishka, a Polish word that means “mantis,” the tool

by John E Dunn After a busy sequence of updates in October, November, and December, the new year’s first Patch Tuesday promises a lighter workload. All told, there are 49 patches with CVEs, two advisories affecting Adobe and the Windows 10 servicing stack updates (see below), with a modest seven rated ‘critical’. In a welcome

IcePick-3PC has impacted a range of businesses, from publishers to e-commerce, across a variety of industries, including retail and healthcare, according to researchers from The Media Trust’s digital security and operations (DSO) team. The malware strain was first identified in spring 2018 and is able to steal device IPs en masse.   When it was initially detected,

by John E Dunn For decades hot tubs were simple water-bearing garden luxuries that owners looked forward to relaxing in of an evening. More recently, manufacturers started adding exciting Internet of Things (IoT) features that product marketing departments worked themselves into a lather promoting as the next must-have. These IoT-enabled hot tubs look identical to

Network and endpoint security company, Sophos, announced today that it has acquired Avid Secure, a cloud infrastructure security company that uses artificial intelligence to deliver cloud security analytics, according to a press release. No further details about the acquisition have been released, though a spokesperson for the company said in an email that Sophos will

by John E Dunn How easy is it to bypass the average smartphone’s facial recognition security? According to the Dutch consumer protection organisation Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise. Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing

The Advanced Cyber Security Center (ACSC) has published its first annual report, “Leveraging Board Governance for Cybersecurity, the CISO / CIO Perspective,” the results of which highlight the need for boards to be active governance partners in collaborative cyber defense. Recognizing the shared value of collaboration across organizational functions and between and among organizations when

by Lisa Vaas Need to spy on your spouse? Your employees? That suspect who refuses to unlock his Android? It was easy-peasy up until a few weeks ago: you could have just grabbed their phone, placed a Skype call to it, answered the call, then poked around, no passcode needed. In October, Florian Kunushevci, a

The Marriott breach announced on November 30, 2018, was initially suspected to have compromised the data of nearly 500 million customers, but on Friday the Starwood company updated its database security incident advisory to reflect what it now believes to be a more realistic and slightly smaller number of guests that were impacted. After weeks of

by John E Dunn For anyone who believes vein authentication is more secure than fingerprints or facial recognition, we have good news – researchers have just showed how the technology can be beaten. Before we explain why that statement isn’t a contradiction, let’s dive a bit deeper into what researchers Jan Krissler and Julian Albrecht

A unique phishing template using fake fonts to evade detection and to better steal user credentials for a major US bank has been discovered, according to new research from Proofpoint. Researchers identified what they are calling a first-of-its kind phishing template that uses fake fonts to exploit web font features typically used by developers to deploy a

by Paul Ducklin We wrote about the resurgence of a year-old Facebook hoax during the holiday season… …and ended up with many people asking us, “Does it really matter?” Over the years we’ve seen hoaxes telling you that you definitely should post a picture of an egg, that you definitely shouldn’t set your profile picture

Researchers at Trend Micro discovered spyware that had successfully disguised itself as a legitimate Android application. Initially found in a game called Flappy Birr Dog, the malware has been widely distributed, affecting users from 196 different countries. According to research, the application was available on Google Play and had more than 100,000 recorded downloads from