A 19-year-old completely self-taught hacker from Argentina has just been recognized as the first bug bounty hacker to earn more than $1 million in bounty payout awards, according to HackerOne. Santiago Lopez, the hacker, who uses the handle @try_to_hack, has been discovering and disclosing vulnerabilities through HackerOne’s bug bounty program since 2015. In 2016, he earned

by Lisa Vaas Cellebrite phone-cracking devices, beloved by law enforcement, are available at bargain-basement prices on eBay, so you can get a gander at all the devices that the police have presumably been able to squeeze for data. Here’s a second-hand Cellebrite UFED device showing off its capabilities, courtesy of security researcher Matthew Hickey: Cellebrite

Even though misconfigurations in public clouds create risks to enterprise security, a new study found that more than half of IT professionals do not really understand the risks inherent in public cloud misconfigurations as well as they understand risks within their traditional IT environments. The 2019 State of Enterprise Cloud and Container Adoption and Security

by John E Dunn Researchers have spotted an unusual ‘trackware’ attack triggered by viewing a PDF inside the Chrome browser. Security company EdgeSpot said it noticed suspicious PDFs, which seem to have been circulating since 2017, sending HTTP POST traffic to the tracking site readnotify.com. The behaviour only happened when a user viewed a PDF

The state of Massachusetts is reportedly facing increased cyber threats from adversaries who are trying to steal sensitive information, according to the Gloucester Daily Times. In an interview with Stephanie Helm, director of the MassCyberCenter, State House reporter Christian M. Wade learned that the state’s computer systems as well as Massachusetts businesses and individuals are

by Mark Stockley Some ideas are so good at getting people to spread them that they go viral. There doesn’t have to be any design, purpose or merit in an idea to make it spread. It doesn’t have to be good, interesting, helpful, useful or true, in fact it can even be a very bad,

Cryptocurrency mining tool Coinhive has decided to shut up shop, although not because of its rampant abuse by hackers over the past two years. The team behind the Monero miner revealed all in a brief post on Tuesday, claiming that the 18-month project had come to an end as it was no longer economically viable.

by Paul Ducklin Cyberscare-of-the-moment is the “Momo challenge”, named after an admittedly rather freaky Japanese sculpture known as Momo, or the Mother-Bird. The sculpture was made a few years ago by a horror-movie special effects artist and displayed at an art exhibition. Pictures of the sculpture began to circulate online over the last year or

The advanced persistent threat (APT) group known since 2013 as BRONZE UNION, as well as Emissary Panda, APT 27 and LuckyMouse, is believed to be based in China, according to Secureworks. Published today, the State of the [BRONZE] UNION Snapshot and A Peek into BRONZE UNION’S Toolbox, are based on nearly two years of continuous,in-depth visibility

by Paul Ducklin The Naked Security podcast investigates a massive medical data blunder, tells you how NOT to do vulnerability disclosure, and finds out whether password managers do more harm than good. With Anna Brading, Paul Ducklin, Mark Stockley and Matt Boddy. This week’s stories: Millions of “private” medical helpline calls exposed on internet Virus

A graduate of The College of Saint Rose in Albany, New York, has been charged with damaging college computers, according to the Department of Justice’s (DoJ’s) US Attorney’s Office of the Northern District of New York. The 26-year-old Albany resident is reportedly a citizen of India who has been in the United States on a student visa.

by Danny Bradbury Mozilla has told the Australian government that its anti-encryption laws could turn its own employees into insider threats. The Mozilla Corporation, which is the arm of the Mozilla Foundation that develops and maintains its software, made the striking warnings in a letter to the country’s government last week. The letter, written to

Young women in West Virginia will join more than 6,000 high school girls for the second year of Girls Go CyberStart, an interactive series of digital challenges that teachers girls about cybersecurity.  First introduced in 2018, the program launched with 231 participants from 27 high schools across West Virginia. This year, according to West Virginia’s governor, Jim Justice,

by Danny Bradbury Officials in Tampa, Florida, were scrabbling to regain control of the mayor’s Twitter account this week after a hacker hijacked it to post bomb threats and child sex abuse images. The attacker, who took over the account just two weeks before the city’s municipal elections, tried to implicate others in the hijacking.

Two US House committees will hold hearings next week, each focusing on data privacy as public pressure continues to mount for regulations that address protecting American consumers. On Tuesday, February 26, the House Consumer Protection and Commerce subcommittee will hold its hearing, “Protecting Consumer Privacy in the Era of Big Data.” The following day the

by Lisa Vaas A YouTube content creator has found what he calls a “wormhole” that, within as few as five clicks, could lead to a “soft-core pedophilia ring” where pedophiles are connecting with each other in the comments sections of innocuous videos featuring children. That content creator is Matt Watson, also known as MattsWhatItIs, who

Entrust Datacard has announced a definitive agreement to acquire nCipher Security. Less than a month after nCipher de-merged from Thales, the deal will see nCipher’s identity-based and PKI security solutions become part of Entrust, enabling Thales to complete its acquisition of Gemalto. Operating as a separate stand-alone business within Thales since January 2019 under the

by Paul Ducklin We’re not fans of the phrase “First World problem”, not even now it’s in the Oxford Dictionary of English After all, if humans indeed lived in Africa long before they decided to see what Europe was like, surely Africa ought to be the First World, and we’d count upwards from there? But

An analysis of multiple top password manager products has revealed vulnerabilities in the tools they use that could potentially put the security of user’s credentials at risk, according to Independent Security Evaluators (ISE). A new study, Under the Hood of Secrets Management, found that a variety of different password managers, including 1Password and LastPass, have

by Lisa Vaas Last week, CNBC reported that Facebook looks up users’ location data when it thinks they’re a threat to the company’s employees or facilities. Until recently, granting an Android app access to your location was an all-or-nothing deal: you either had to turn off location and prevent the app from seeing your location

Apparently cyber-criminals have an affinity not just for stealing credentials but more specifically for pilfering user credentials for pornography sites, according to a new report from Kaspersky Lab. The new report found that nearly 110,000 people were attacked with credential-stealing malware specifically targeting a premium pornography account. That’s more than double the 50,000 people who faced

by John E Dunn Researchers have uncovered a surprising security weakness in password managers – several popular products appear to do a weak job at scrubbing passwords from memory once they are no longer being used. An analysis by Independent Security Evaluators (ISE) uncovered the problem to different degrees in versions of 1Password, Dashlane, LastPass

Foreign adversaries pose threats to US national security, but researchers at Check Point believe that the advanced persistent threat (APT) group known as Lazarus is now targeting Russian organizations. In a February 19 blog post, Check Point revealed findings from research that suggests the North Korean APT known as both Lazarus and Hidden Cobra has

by Lisa Vaas There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much. It’s about using Bluetooth to detect credit card skimmers at gas stations: Here is a helpful tip: When you pull up to a gas station to fill your car. Search your phone

A definitive acquisition agreement between Palo Alto Networks and Demisto, announced today, is expected to close during the fiscal third quarter for Palo Alto Networks. The acquisition of Demisto will be finalized for a total purchase price of $560 million, according to a press release. The total purchase, to be paid in cash and stock, is

by John E Dunn If you’re a security researcher in search of a fat bug bounty, Facebook must look like a good place to start your next hunt. The site has suffered a lot of niggling security flaws in recent times, to which can now be added a new Cross Site Request Forgery (CSRF) protection

Australian Prime Minister Scott Morrison has blamed a “sophisticated state actor” for the recent attempt to hack the parliament’s computer network. On February 8 news broke of the malicious activity which resulted in password resets for government workers. Speaking today, PM Morrison said that there was “no evidence of electoral interference” and that steps were

by Paul Ducklin The cracker who recently put 620 million breached records up for sale… …is back with close to 100 million more, according to reports. Just over five years ago, we jokingly coined the phrase “one hundred million club”, following Adobe’s then-epic leaking of 150 million records. Back then, breaches with that many records

As the value of Bitcoin and other cryptocurrencies continues to fluctuate while governments consider marketplace regulations, J.P. Morgan announced that is launching the first US bank-backed cryptocurrency, JPM Coin. “The JPM Coin is based on blockchain-based technology enabling the instantaneous transfer of payments between institutional accounts,” the press release stated. “Exchanging value, such as money, between different

by Lisa Vaas You are worth $7.37 to Facebook. You are worth $2.83 to Twitter. You are worth 30 cents to Reddit. Dagnabbit, it’s time to cash in! That’s the cry from newly minted California Governor Gavin Newsom, who, in delivering his first state of the state address on Tuesday, said it’s time for the