Global exposure to and losses from tech support scams has dropped over the past two years as consumers become more savvy, although in the UK the number suffering financially increased slightly, according to Microsoft. The computing giant polled over 16,000 internet users in 16 countries worldwide to better understand how trends are evolving. The latest

by Paul Ducklin Chrome 70 comes out today. Most people who use Google’s popular browser will receive the update, and either won’t realise or won’t especially care about the changes it contains. Next Tuesday, Firefox 63 will be released, and much the same thing will happen for users of Mozilla’s browser. But one of the

The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports. An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel. A statement seen by the newswire confirmed that the incident had been discovered at the beginning of

by Naked Security writer Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time. Monday 8 October 2018 Unpatched routers bad, doubly unpatched routers worse – much, much worse! Attackers use voicemail hack to steal WhatsApp accounts Phantom Secure CEO sold encrypted phones to drug cartels

by Lisa Vaas A bipartisan group of 35 state attorneys general are tearing their hair out over robocallers. They’re telling the Federal Communications Commission (FCC) to implement technology that will identify illegally spoofed calls and authenticate legitimate ones, the sooner the better. In a letter sent to the FCC on Tuesday, the AGs submitted comments

A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team. Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the

On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld. In addition to revealing the information about the data centers, located in 15 cities across nine countries,

by John E Dunn Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue. Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered

by Lisa Vaas For those Facebook users who still cling to the notion that they can limit Facebook’s tracking of our lives like it’s an electronic bloodhound, you should be aware that its Instagram app has been prototyping a new privacy setting that would enable location history sharing with its parent company. It was first

With “well over” 1% of the world’s top one million websites still using a Symantec certificate, Mozilla has suspended plans to distrust the TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert. According to a statement by Mozilla’s certification authority program manager Wayne Thayer, so many websites continue to use

Blockchain is revolutionizing the global economy, according to Nitin Uttreja and Ashish Dwivedi of CA Technologies. In their session, How Blockchain Is Revolutionizing Cybersecurity, Uttreja and Dwivedi said that blockchain companies enable banks to transact with other banks for improved efficiency of cross-border transactions. “The distributed-ledger technology is not just restricted to the banking or financial world. Blockchain

by Paul Ducklin Google just unsealed information about an apparently exploitable bug in WhatsApp that could have allowed a malevolent caller to take over your device. Just answering a call could have been enough to land you in trouble. Project Zero researcher Natalie Silvanovich found a buffer overflow that could be triggered by data transmitted

As the threat landscape continues to evolve, many who are overwhelmed today may not have the time to think about whether they are prepared for the threats of tomorrow. Those who attended Viruses, Trojans, Worms, Malware and Ransomware: What’s Next and Are We Prepared? with Tony Cole, CTO, Attivo Networks, at the 2018 Security Congress learned that

by Paul Ducklin Thanks to Ross McKerchar, our CISO at Sophos, and Luke Groves, one of our Senior Penetration Testers,for their help with this article. The past week has seen the beginning of a saga that feels as though it could end up like Homer’s Odyssey or Virgil’s Aeneid… …a fascinating, entertaining, confusing, politically charged

Director of game research and development for the Institute for the Future, Jane McGonigal, opened her luncheon keynote at the 2018 Security Congress with what she considered exciting news by announcing that human beings have reached a milestone: People spend 2.5 billion minutes a day playing League of Legends.  “To put that in perspective, that’s the

by Paul Ducklin Back in August we wrote about a security bugfix for Mikrotik routers that was reverse engineered and turned into a working exploit. Indeed, patches that fix security vulnerabilities often end up giving away enough about the vulnerability that both good guys and bad guys alike can weaponise it from first principles –

by Lisa Vaas Well, well, well, many of us are now thinking. Sure, Facebook was fun while it lasted. But really, post-Cambridge Analytica/mega-breach/data slurping/fake news/Russian propaganda/et al., for some people it’s time to move on. Time to delete the account once and for all. Well, if you’ve really decided, after all that, to finally thumbs-down

A regional US fast food chain has become the latest victim of the notorious Fin7 hacking group after a breach of card data involving countless customers. The FBI informed Pacific North West chain Burgerville on August 22 that it had been a target of the group, also known as Carbanak. It was believed that the

by Danny Bradbury Fed up with navigating alphabet soup when trying to buy fast wireless networking that reaches from one end of the house to the other? Then rejoice, for the high priests of Wi-Fi just made your life – and the lives of wireless network equipment vendors everywhere – a little easier. The next

A security vendor has discovered nearly 200 domains spoofing legitimate UK news sites in order to spread fake news. DNS security firm DomainTools ran a search on five of the UK’s most popular sites: BBC News, Sky News, ITV News and the websites of the Guardian and the Daily Mail newspapers. It discovered 197 domains

Credential phishing campaigns, in which high-profile individuals are unwittingly falling victim to malicious actors who are looking to gain access into business systems, have proven to be a successful attack vector. According to a new Menlo Security report, Understanding a Growing Threat: Credential Phishing, credential phishing is a quickly growing cyber-attack and is increasingly becoming

by Lisa Vaas Step aside Amazon, drone deliveries are already a thing in prisons. There are many things that conspirators on the outside can do drone-wise: drop mobile phones, chargers, batteries, drugs, knives, memory cards, earphones, saws, or even drills. There are also many ways for those drone drops to be duds: sometimes they crash

Traditional applications continue to introduce risks into the enterprise, and the number of serious vulnerabilities has increased across most sectors, according to WhiteHat Security. The 2018 Application Security Statistics Report: The Evolution of the Secure Software Lifecycle found that in addition to traditional applications, the vulnerabilities in agile development frameworks, micro-services, application programming interfaces (APIs)

by Mark Stockley Over the summer I decided to give my kids an old Apple laptop to share. We use laptops for school homework from time to time but my kids spend most of their screen time poking and swiping tablets. I wanted to broaden their horizons a little: do a bit of coding; a

Eighteen vulnerabilities have been disclosed in Foxit PDF Reader, a commonly used alternative to Adobe Acrobat Reader, which is a widely used browser plugin, according to Cisco Talos. “Foxit PDF Reader is one of the most popular free tools for viewing, commenting on and editing PDF documents. Due to the popularity of the PDF file

by Lisa Vaas Taking work-related documents home to study might get you a promotion and pay raise at some jobs, but not when your employer is the National Security Agency (NSA) – and most certainly not when those materials are classified. Former NSA employee Nghia Hoang Pho, 68 – a naturalized US citizen who was

US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to new data from Bitglass. The security vendor aggregated data from the Identity Theft Resource Center (ITRC) and the Privacy Rights Clearinghouse (PRC) to gain insight for its Financial Breach Report

by Danny Bradbury Hackers are taking over high-profile Instagram users’ accounts and holding them to ransom, it was revealed this week. At least four influencers have lost control of their accounts and received demands to send bitcoin for their return, but in some cases the attackers retained control or deleted the accounts. Motherboard reported that

by Maria Varmazis It’s crucial to arm kids with knowledge of how to protect themselves and their information online, not only in the moment, but also for the future – a concept many kids may not really care about or even grasp. If you’re looking for the best way to start a conversation with your

The Information Commissioner’s Office (ICO) has fined Bupa Insurance Services Limited (Bupa) £175,000 for its failure to protect the personal information of its customers. Had the timing of the breach been different, Bupa would have faced fines under the General Data Protection Regulations (GDPR), but the security incident occurred prior to those regulations going into