Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored. Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows.

by Danny Bradbury Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure. Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users. Launched in July 2018, they offer a level of physical

A high-risk vulnerability in Cisco‘s secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices. The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow

by Naked Security writer It’s that time of year again. Please vote for us in the European Security Blogger Awards 2019. We’re up for an award called The Corporates – The Best CyberSecurity Vendor Blog, and if you think we’re the best, you can have your say on the voting page: (You don’t have to

After analyzing the top three breaches from the past three years, Bitglass found that in the aftermath of a data breach, a decrease in stock price was a notable repercussion identifiable for publicly traded companies. The report, Kings of the Monster Breaches, identified the extensive damage done by improper security by looking specifically at the Marriott

by Mark Stockley Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code: A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the

Lawmakers in San Francisco will vote today on legislation that would ban the use of facial recognition technology among city departments, according to NPR. If approved, the law would make San Francisco the first city to ban the technologies use, a ban that would extend to police body cameras. “Governments have used the technology for

by Mark Stockley On Monday 13 May, Facebook revealed that an “advanced cyber actor” has been spying on some users of its ridiculously popular WhatsApp messaging app, thanks to a zero-day vulnerability that allowed hackers to install spyware, silently, just by calling a victim’s phone. The vulnerability is now fixed, which means that if you’re

Malicious or criminal attacks accounted for nearly twice as many data breaches as those resulting from human error during the first quarter of 2019, according to the Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC). The report, published today, marks the start of Australia’s Privacy Awareness Week. “By understanding the

by Lisa Vaas The US thinks it knows who’s behind the vast breach that siphoned off 78.8 million customer and employee records from US health insurer Anthem between 2014 and 2015. On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China,

A report published today by Advanced Intelligence revealed that three US-based antivirus software vendors have been breached, and a high-profile collective of Russian hackers is claiming responsibility. Using a credential-stuffing botnet, the known international cybercrime group has reportedly stolen more than 30 terabytes of data from the networks of three U.S.-based antivirus firms. Advanced Intelligence research

by Lisa Vaas The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)… …or, for that matter, with the state of California, with its California’s

Photo storage app Ever failed to get consent from users who uploaded millions of images to the service before it adopted the images as tools to train a commercial facial recognition system, according to NBC News. Without disclosing their use of the images to users of the app, Ever also reportedly offered to sell that facial

by Danny Bradbury Another day, another massive MongoDB exposure. This time, a security researcher has discovered a public-facing database with over 275 million records containing personal information on citizens in India. The researcher is Bob Diachenko, who spends a lot of time poring over Shodan search results. Shodan is a search engine, but unlike Google

In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH. The DHS and FBI have identified a malware variant used by the North Korean government, yet another

by John E Dunn Slowly but steadily, web developers are being given the tools with which to tame the promiscuous and often insecure world of the browser cookie. The latest big idea is an IETF standard called SameSite (aka RFC6265bis), which Google and Mozilla have promoted since 2016 and the former announced this week it

Americans in every state are overconfident in their cybersecurity coverage, with the majority of consumers expressing confidence they are taking appropriate steps to protect themselves, according to the 2019 report published by Wakefield Research and commissioned by Webroot. The Cyber Hygiene Risk Index, published on May 8, found that 88% of consumers expressed confidence in

by Paul Ducklin Over the past few months, we’ve written and spoken many times about a scam known as sextortion. Sextortion is an online crime that combines sex and extortion – the crooks say that they have embarrassing pictures of you, and they’ll send the pictures to your friends and family… …unless you pay them

After its acquisition of SecureData earlier this year, Orange has announced another agreement it has signed to acquire SecureLink, a transaction that will advance Orange’s position in the EU’s cybersecurity industry, according to a May 7 press release. The deal will afford Orange a position of leadership in Europe’s cybersecurity scene as SecureLink already has

by John E Dunn Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month? If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own

Researchers have identified a significant uptick in breaches and attacks related to the internet of things (IoT), according to a new Ponemon Institute report, The Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know. Released today by the Santa Fe Group, the study yielded 35 key findings on IoT risks

by John E Dunn It’s easy to forget that malware authors are regular human beings with hobbies and interests – not that different from their many victims, in fact. Take the contrived tendency to embed references to popular culture in malware – as the creator behind a new type of ransomware called MegaCortex has done.

The Israel Defense Forces (IDF) claim to have thwarted a cyber-attack from Hamas by targeting the building where Hamas cyber operatives work, according to IDF. After the alleged cyber-attack, IDF responded with a physical attack in what Forbes contributor Kate O’Flaherty called “a world first.” According to the commander of the IDF’s cyber division, identified only by his

by Lisa Vaas In December 2018, the CEO of Canada’s major cryptocurrency exchange, QuadrigaCX, allegedly died of Crohn’s disease while in India without telling anybody the password for his storage wallet. Oh, really? Funny, that. Experts say that Crohn’s is hardly likely to kill an otherwise healthy 30-year-old. Nor was there an autopsy. Or, apparently,

In an effort to address the cybersecurity skills gap and create a more resourceful and effective cybersecurity workforce, the US Senate has passed the Federal Rotational Cyber Workforce Program Act of 2019.   In 2017 the Government Accountability Office (GAO) determined that the country’s cyber workforce challenges posed high risk and reported that “the federal government needs

by Paul Ducklin Update. Shortly ater publishing this article we were able to fetch Firefox 66.0.4, which claims to fix this issue by repairing a broken certificate chain. We haven’t yet received notification of an update to the Tor Browser, but we expect to see one soon. [2019-05-05T22:15Z] It’s a long weekend here in the

In advance of the California Consumer Privacy Act (CCPA) going into effect January 1, 2020, researchers analyzed how prepared US organizations are for the new regulations and found that nearly half of all companies will not be ready to comply with CCPA. According to research conducted by the International Association of Privacy Professionals (IAPP) and OneTrust, reputation

by John E Dunn When it comes to an easy life, the criminals behind the fearful Anubis banking malware have become big fans of Twitter and, increasingly, the secure messaging of Telegram. There’s nothing new in malware piggybacking on popular services but why Twitter and Telegram, and is the recent migration to secure messaging significant?

Since 2017, digital ad spending has increased while fraud losses have declined, according to the fourth annual Bot Baseline Report, published by White Ops and the Association of National Advertisers (ANA). The report found that for the first time more fraud will be stopped than will succeed, suggesting that defenders are gaining ground in the

by Paul Ducklin April 2019 was a good month for bold Belgians! Professsional Belgian cyclist Victor Campanaerts broke the world hour record, covering an amazing, unassisted, undrafted 55km in a velodrome (55,089 metres, in fact) in 60 minutes. The previous record, set by Sir Bradley Wiggins in 2015, had stood for nearly four years. But