by Lisa Vaas You know what takes 17 minutes? Building a piece of Ikea’s 5-minute furniture. Walking one mile if you’re in decent shape. Making £500k (USD $569,000) if you’re Facebook. The Register crunched the numbers because that sliver of Facebook revenue – £500k (about $640k) – is how much the social media giant has

As the 2018 midterm elections near, many remain concerned about the security of election infrastructure at the national level, though Steve Grobman, CTO at McAfee, said the realistic security risk lies in an attacker tampering with information and targeting individual counties and states. “A realistic attack wouldn’t require mass voting manipulation or the hacking of

Following reports that Chinese spies infiltrated the supply chain of servers assembled by Supermicro Computers Inc., the New York–based CYBERGYM has launched a new infrastructure-security combat training program. Driven by the belief that threats posed by these types of supply chain and infrastructure hacks are significant, CYBERGYM said it developed the training to help organizations

by John E Dunn As Apple and Samsung have just found out, to their cost, there is a right way and a wrong way to offer software updates to mobile customers. According to Italy’s AGCM antitrust investigators, the right way is for companies to provide iOS and Android updates that add new features and improve the

According to the 2019 Global ICS & IIoT Risk Report published by CyberX, cyber-criminals are increasingly targeting the vulnerabilities of industrial control systems (ICSs) and the industrial internet of things (IIoT).  The report reflects the findings from data captured over the past 12 months from more than 850 production ICS networks across all industrial sectors. While the

by John E Dunn Mozilla’s ambition to turn Firefox into the number one privacy browser was never going to be easy to pull off. Too few, or ineffective, controls and privacy becomes a benefit in name only. Too many blunt controls and there is a danger of making websites difficult to use in ways that

Over 80% of security professionals are concerned about the prospect of attackers using artificial intelligence (AI) against their organization, according to new research from Neustar. The global information services provider polled 301 IT and security professionals across EMEA and the US to compile its latest International Cyber Benchmarks Index. It found that although 87% of

by Lisa Vaas Have you recently tried to ditch a mobile app, only to have it keep following you around? If so, you may be a victim of a new crop of uninstall trackers that go beyond letting app developers track bugs and poor user experience: they also let developers track app users “the instant” they

The website of a Saudi Arabian investment conference hosted by the crown prince has just returned to normal after being defaced following the murder of a Washington Post journalist. The Arab nation has now admitted Saudi national Jamal Khashoggi was murdered on a visit to his country’s consulate in Istanbul at the beginning of the

by John E Dunn Drupal’s maintainers have handed users of the popular content management system (CMS) some urgent patching homework in the form of five security vulnerabilities, including two rated ‘critical’. The headline here is simple: do not ignore Drupal updates or they’re likely to come back and bite you. Two critical flaws Both critical

Early last week, the Centers for Medicare & Medicaid Services (CMS) announced some suspicious activity in the Federally Facilitated Exchanges (FFE), an agent and broker exchanges portal. On October 13, 2018, a CMS staffer noticed the anomalous activity that resulted in the agency declaring a breach on October 16. An unauthorized user reportedly accessed the

by John E Dunn Every now and again security researchers stumble on the sort of bad security flaw that reminds us how innocuous-looking aspects of web development can suddenly turn dangerously hostile. An unnerving example is a vulnerability that Akamai’s Larry Cashdollar stumbled on earlier this year after encountering the hugely popular file upload plugin,

by Lisa Vaas A month after its most recent iPhone and Mac launches, Apple has refreshed its privacy pages. There isn’t much that’s changed: those pages still espouse Apple’s long-held commitment to privacy being a “fundamental human right” and that your information is, for the most part, kept on your iPhones, iPads and Macs. Apple’s iOS

A survey of nearly 200 financial services compliance individuals conducted throughout February and March 2018 found that organizations are struggling to keep pace with evolving technologies and have fallen behind when it comes to oversight of electronic communications, according to Smarsh. Results of the 40-question survey were released this week in the Electronic Communications Compliance Survey

Despite its reputation as having the top law school in the country, Yale University is facing a second lawsuit after the personal information of more than 100,000 students was stolen by hackers in a data breach, according to GazetteXtra. Between April 2008 and January 2009, electronic records containing social security numbers, dates of birth and

by John E Dunn Stop me if you’ve heard this one before. In May, Polish researcher Błażej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers. According to Adamczyk, D-Link replied two weeks later to say that two

The personal details of over half a million American voters has been leaked after yet another cloud database misconfiguration, this time by a right-wing fundraising organization. Researchers at UpGuard found a publicly readable Amazon S3 storage bucket at the end of August, belonging to the Tea Party Patriots Citizen Fund (TPPCF). The TPPCF is what’s

by Paul Ducklin Here’s Episode 6 of the Naked Security podcast. This week, Naked Security editor-in-chief Anna Brading talks to Sophos experts Paul Ducklin, Mark Stockley and Matthew Boddy about a security flaw in the WhatsApp app, a shopping site compromise using rogue JavaScript, and the latest strain of the in-your-face cybercrime known as sextortion.

Europol and the European Banking Federation have launched a new campaign designed to raise public awareness of growing incidents of financial fraud and data theft, as part of European Cyber Security Month (ECMS). Over the coming week, law enforcers from 28 EU member states as well as Colombia, Liechtenstein, Norway, Switzerland and Ukraine will be

by Paul Ducklin There’s a big brouhaha about a recently discovered SSH bug that could let crooks log into your computer without a password. SSH is very widely installed, everywhere from the server farm at your cloud provider to the off-the-shelf router you’ve got at home. We looked at the bug, explained how to gauge

Organizations globally are suffering a crippling cybersecurity workforce “gap” of 2.9 million employees today, putting the majority at greater risk of attack, according to the latest estimates from (ISC)². The global certifications body has introduced a new gap analysis methodology, which explains why the figures are so much higher than the predicted 1.8 million industry shortfall

by John E Dunn Apple’s iOS security team must be starting to feel as if they’re being besieged by security sleuth José Rodríguez. In his latest YouTube proof-of-concept, the Spaniard demonstrates how an attacker with physical access to an Apple device running iOS 12.0.1 (including the latest X and XS models) can gain access to

Global exposure to and losses from tech support scams has dropped over the past two years as consumers become more savvy, although in the UK the number suffering financially increased slightly, according to Microsoft. The computing giant polled over 16,000 internet users in 16 countries worldwide to better understand how trends are evolving. The latest

by Paul Ducklin Chrome 70 comes out today. Most people who use Google’s popular browser will receive the update, and either won’t realise or won’t especially care about the changes it contains. Next Tuesday, Firefox 63 will be released, and much the same thing will happen for users of Mozilla’s browser. But one of the

The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports. An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel. A statement seen by the newswire confirmed that the incident had been discovered at the beginning of

by Naked Security writer Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time. Monday 8 October 2018 Unpatched routers bad, doubly unpatched routers worse – much, much worse! Attackers use voicemail hack to steal WhatsApp accounts Phantom Secure CEO sold encrypted phones to drug cartels

by Lisa Vaas A bipartisan group of 35 state attorneys general are tearing their hair out over robocallers. They’re telling the Federal Communications Commission (FCC) to implement technology that will identify illegally spoofed calls and authenticate legitimate ones, the sooner the better. In a letter sent to the FCC on Tuesday, the AGs submitted comments

A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team. Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the

On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld. In addition to revealing the information about the data centers, located in 15 cities across nine countries,

by John E Dunn Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue. Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered