by Lisa Vaas A bug in Facebook’s photo API may have exposed up to 6.8 million users’ photos to app developers, the company announced on Friday. Facebook said that normally, when a user gives permission for an app to get at their Facebook photos, the developers are only supposed to get access to photos that are

Printers around the world appear to have been hijacked again with a message to subscribe to a popular YouTube vlogger, and improve their cybersecurity. Those behind the attack are thought to be the same ones that managed to get a message in support of social media star PewDiePie printed out on 50,000 machines last month.

by Lisa Vaas Oh, those incorrigible password abusers. After all these years of being shamed (if they cared or were paying attention), they’re still using “123456” as a password. This year, according to SplashData’s annual worst password list, that stale cracker came in at No. 1. Again. “password” was the No. 2 dust bunny to

Law enforcement agencies across the country spent the better part of yesterday evening investigating a slew of bomb threats delivered by email to businesses and universities across the US and Canada. The hoax email warning that an explosive device was in the recipient’s place of work evoked fear among many Americans yesterday, according to KrebsonSecurity.

by Lisa Vaas Facebook filed a patent, titled “Offline Trajectories,” last week in which it proposes predicting users’ “location trajectories” – in other words, where we’re likely headed. Knowing when we’re about to hurtle into a no-WiFi-connection limbo means Facebook can “prefill” our phones with content and ads. It knows enough to know a lot more

An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars. The personal data of its entire user base was exposed after Boomoji reportedly left

by Danny Bradbury Google keeps tabs on much of your activity, including your browsing history and your location. Now, it turns out that its YouTube service is also reading what’s in your videos, too. Programmer Austin Burk, who goes by the nickname Sudofox, discovered the issue after discovering a cross-site scripting (XSS) flaw on another site.

Unpatched security vulnerabilities remain the biggest threat to UK retailers as they increase spending to mitigate risk during the busy Christmas shopping period, according to Infoblox. The security vendor polled 3000 consumers and retail IT professionals across Europe and the US to better understand their attitudes to data security during December. In the UK, the

by John E Dunn With WordPress 5.0 ‘Bebo’ out of the gate, the next job is to patch the flaws that have accumulated since the last Security and Maintenance release in July. The update for that job is this week’s WordPress 5.0.1, which backports security fixes all the way to version 3.7, excepting a small

The Chinese government is responsible for the massive breach recently disclosed by Marriott International, according to new reports. Two people briefed on the ongoing investigation told the New York Times that the attackers are suspected of working for China’s sprawling Ministry of State Security (MSS). The hack, it is claimed, was part of a major

by Lisa Vaas A recently patched trio of flaws in Samsung’s mobile site was leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts, The Register reports. The flaws were found by security researcher Artem Moskowsky, who said that they were all cross-site request forgery (CSFR), or, alternatively, XSRF,

Security researchers have discovered a major targeted attack campaign aimed at stealing info from scores of mainly English-speaking organizations around the world and using source code from the infamous Lazarus Group. What McAfee has dubbed “Operation Sharpshooter” targets government, defence, nuclear, energy and financial organizations, mainly in the US but also the UK, Canada, Australia,

by Lisa Vaas Incorrigible SWATter George Duke-Cohan, a British teenager from a village near Watford, just north of London, has now been sentenced to three years in prison, according to the UK’s National Crime Agency (NCA). In September, Duke-Cohan – at 19, the most outspoken member of a distributed denial of service (DDoS) gang –

New research has revealed a dearth of qualified cybersecurity staff in the NHS and low levels of spending on in-house training for employees. RedScan received Freedom of Information (FOI) responses from 159 trusts between August and November. It found that nearly a quarter of trusts have no qualified security professionals working in-house despite some of

by John E Dunn What’s the safest way for a criminal to buy counterfeit banknotes? Curiously, it’s not necessarily from the dark web, as 235 people now “detained” by police have just discovered. According to Europol, between 19 November and 3 December police forces in 13 countries searched 300 properties, uncovering caches of drugs, guns

Over two-thirds of UK firms have fallen victim to a cyber-attack over the past year, with many claiming they don’t get enough guidance from the government on how to combat threats, according to RedSeal. The security vendor polled over 500 UK IT professionals from mainly SMBs to better understand their cyber-resilience levels. Some 68% claimed

by Lisa Vaas In a year in which facial recognition has made massive strides to invade personal privacy and settle in as a favored tool for government surveillance, Microsoft isn’t just open to government regulation; it’s asking for it. On Thursday, in a speech at the Brookings Institution, Microsoft President Brad Smith warned about facial

According to the EU GDPR (General Data Protection Regulation) Implementation Review Survey conducted by IT Governance, six months after the GDPR went into effect, the majority of organizations are failing to implement the mandatory regulations. The study included 210 responses from participating organizations ranging in size from fewer than 10 to more than 1,001 employees from across

by Lisa Vaas VTech, the Hong-Kong-based smart-toy maker has hit another bump in the road. This time around, it’s a serious security flaw in the software of VTech’s flagship tablet, the Storio Max, which is called the InnoTab Max in the UK. The flaw could allow hackers to remotely take control of the device and

A series of cyber-robbery attacks have been targeting financial organizations in Eastern Europe, according to new research from Kaspersky Lab. Researchers found that the series of attacks, dubbed DarkVishnya, have affected at least eight banks in the region, with estimated losses running into the tens of millions of dollars. Based on data collected through Kaspersky Lab’s

by John E Dunn If you’re among the holdouts still running Flash, you have some more updating homework to do. Adobe has issued an out-of-band patch after researchers spotted a Flash zero-day flaw being exploited in the wild. The discovery was made by Qihoo 360 which on 29 November noticed a targeted APT (Advanced Persistent

Over two-fifths of organizations have fallen victim to a so-called Business Process Compromise (BPC) attack, despite widespread ignorance from senior execs about the threat, according to Trend Micro. The security giant polled over 1100 IT decision makers responsible for security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and the

by Paul Ducklin On the Naked Security podcast this week: Marriott’s huge and scary data breach, a bug in software management software could be a data thief’s goldmine, and a self-righteous “hacker” prints out an advert on 50,000 internet printers. With Anna Brading, Mark Stockley, Matthew Boddy and Paul Ducklin. LISTEN NOW (Audio player above

Speaking at Black Hat Europe in London, Nahman Khayet, security researcher and Shlomi Boutnaru, CTO at Rezilion, explored the current cybersecurity skills shortage and its link to the education system. Khayet explained that there are three main characteristics of security experts, which are ‘thinking outside the box,’ ‘adversarial thinking’ and ‘technical knowledge.’ He also cited

by Danny Bradbury Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug – and it’s a mammoth one. The flaw could give an attacker unfettered access to the software applications that rely on the tool to operate. Kubernetes is a software tool that manages large numbers of

Delivering the opening keynote at the Black Hat Europe conference in London, Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, spoke of the 2007 attacks by Russia on her home nation of Estonia, and how it was “primitive by today’s standards” but enabled the country to build better defenses and its

by John E Dunn Are the underpinnings of HTTPS security as foolproof as everyone assumes they are? The answer should be a resounding ‘yes’ unless, that is, you happen to be one of a small group of researchers who spend their time formulating what have come to be known as Bleichenbacher or Vaudenay padding oracle

Security researchers have discovered cybersecurity scammers in Russia are generating hundreds of thousands of dollars in profits by falsely claiming to be able to unlock encrypted files. Check Point explained that one ‘IT consultancy’ named Dr Shifro is promising customers it can help them recover from ransomware like Dharma/Crisis, for which there is no known

by Lisa Vaas A battle for who owns the YouTube crown for top channel has been waged over the past few months between fans of Swedish video game commentary celebrity Felix “PewDiePie” Kjellberg and of the Bollywood label T-Series. This is getting serious: It’s one thing when a fan launches a PewDiePie “Bro Army,” structured

There has been an increase in the volume of cybercrime incidents reported to English police of 14% over the past two financial years, according to a new report. Think tank Parliament Street filed Freedom of Information (FOI) requests with the country’s police forces, asking for a breakdown of Computer Misuse Act crimes which involve hacking,