Two different WordPress plugins have caused a few headaches this week. Hackers reportedly exploited an old vulnerability found in the WordPress plugin WP Cost Estimation & Payment Forms Builder, according to Wordfence. A second and critical vulnerability was also found in the Simple Social Buttons plugin, according to WebARX. The flaw in the WP Cost Estimation plugin, which is

by Lisa Vaas On Monday, a federal judge ordered that legal documents about the government’s fight to force Facebook to break Messenger encryption will be kept secret, Reuters reports. In doing so, the judge denied motions from the American Civil Liberties Union (ACLU), the Washington Post and other groups that sought to unseal a federal

In the aftermath of multiple reports that millions of stolen records were dumped on the dark web, the dating app Coffee Meets Bagel confirmed that the accounts of approximately six million users were compromised in a breach, according to a Coffee Meets Bagel (CMB) spokesperson. The company also said that the stolen data was indeed part of

by Paul Ducklin Remember how the world’s biggest social network got into trouble with Apple recently over an app called Facebook Research? The app wasn’t designed for general use – in fact, Facebook couldn’t make it openly available to everyone because it was too snoopy to be allowed in the App Store. Amongst other things,

Only days after Infosecurity reported that OkCupid users said their accounts had been hacked, Checkmarx disclosed that the OkCupid Android App actually posed risks because of security failures in MagicLinks. It’s well known that malicious actors love to exploit a good holiday, which puts users at risk on Valentine’s Day. To identify any potential vulnerabilities,

by Mark Stockley Thanks to Sophos experts Vikas Singh and Peter Mackenzie for the research in this article. Just before 9pm on Sunday, 3 February 2019, a GandCrab executable sparked into life for an instant, before its brief existence was snuffed out by antivirus software. Stopped in its tracks, the malware triggered the first of what

The dark web seller identified as gnosticplayers on Dream Market has removed all listings that were previously up for sale, which reportedly included upwards of 620 million account records. “All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next

by Paul Ducklin In this week’s Naked Security Live video, we’re giving you three quick and easy security tips for Valentine’s Day… …and for every other Day (and every other day) in the year. (Watch directly on YouTube if the video won’t play here.) PS. Like the shirt in the video? They’re available at: https://shop.sophos.com/

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information and Management Systems Society (HIMSS). The study, which surveyed 166 qualified information security leaders from November to December 2018, found that there

by Paul Ducklin If you’re a fan of retro gaming, you’ve probably used an emulator, which is a software program that runs on computer hardware of one sort, and pretends to be a computer system of its own, possibly of a completely different sort. That’s how your latest-model Mac, which has an Intel x64 CPU,

A security issue that affects several open source container management systems, including Amazon Linux and Amazon Elastic Container Service, has been disclosed by AWS. The vulnerabilities (CVE-2019-5736) were reportedly discovered by security researchers Adam Iwaniuk, Borys Poplawski and Aleksa Sarai and would allow an attacker with minimal user interaction to “overwrite the host runc binary and thus gain

by Paul Ducklin A recent BBC TV series entitled Icons asked the question, “Who was the greatest person of the 20th century?” That’s a huge and controversial question in any country, in any language, in any category – and, as you can imagine, the answer’s even bigger, and no doubt even more controversial. There were

Researchers have warned users of a new phishing technique which uses Google Translate to add authenticity to scams. Akamai security researcher Larry Cashdollar explained in a blog post that he was targeted by this tactic early in the new year, receiving an email telling him his Google account had been accessed from a new Windows

by John E Dunn For the second time in a year, illegal child abuse images have been spotted inside a blockchain. According to a post by web blockchain payments system Money Button, on 30 January its service was abused to place “illegal content” inside the Bitcoin Satoshi Vision (BSV) ledger, a recent cryptocurrency hard fork

The Metropolitan Police force has been ‘trialing’ its controversial facial recognition cameras again and the latest deployment resulted in just one individual being charged. The capital’s police have been using these cameras for several years but FOI responses from several forces sent to rights group Big Brother Watch last year revealed the technology is 98-100%

by Lisa Vaas What would you call it if your iOS apps were tracking your every tap and your every swipe, then sending what amounts to a running series of screen captures off to servers to scrutinize – sometimes to their own servers, sometimes to those at a third-party customer experience analytics firm? … sometimes

News has surfaced of an attempted cyber-attack on the Australian government. As reported by the BBC, authorities in Australia are said to be investigating an effort that was made to hack into its parliament computer network. It is believed that information was not accessed and that the passwords of politicians were reset as a precaution.

by Paul Ducklin A trio of bugs caused by programming inconsistencies could have opened up Android 7, 8 and 9 to remote attackers wielding booby-trapped image files. In Google’s own words: [These bugs] could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint. It’s Q4 threat report found that banking trojans accounted for 56% of all malicious payloads in email in Q4, while remote access trojans (RATs) accounted for 8.4%. Proofpoint claimed that this marked a

by Paul Ducklin Traditional computers work with binary digits, or bits as they are called for short, that are either zero or one. Typically, zero and one are represented by some traditional physical property – a hole punched in a tape, or no hole; a metal disc magnetised one way or the other by an

There is a growing disconnect between how companies capitalize on customer data and how consumers expect their data to be used, a new report from RSA Security has discovered. The firm polled more than 6000 individuals across France, Germany, the United Kingdom and United States to explore the nuances of ethical data use and consumer

by Lisa Vaas Dating/hook-up app Jack’d is publicly sharing, without permission, photos that users think they’re sharing privately. The Android version of the app has been downloaded 110,562 times from Google’s Play store, and it’s also available on iOS. Jack’d is designed to help gay, bi and curious guys to connect, chat, share, and meet

Graphic novel fans, particularly those Kindle readers who adore the popular John Wick series, may have unknowingly downloaded fake ebooks promising them the opportunity to stream the third film installment prior to its release in May, according to Malwarebytes. The empty promise could do more than disappoint fans, though. According to researchers, the ebooks, which

by Paul Ducklin In this episode, we look at who was at fault in a network home invasion, investigate how both Google and Facebook fell foul of Apple’s developer rules, and answer the vital question, “Which is better, Android or iPhone?” With Anna Brading, Paul Ducklin and Matthew Boddy. This week’s stories: Hacker talks to

A UK bank fell victim to a malicious SS7 attack that led to cyber-criminals emptying bank accounts at the UK’s Metro Bank, according to Motherboard. Though malicious actors have been able to exploit flaws in telecommunication infrastructure for years, it’s not being reported that attacks are able to intercept codes used for banking using Signaling

by John E Dunn Fifth generation (5G) wireless test networks are barely in the ground and already researchers say they’ve uncovered new weaknesses in the protocol meant to secure it. 5G security is built around 5G AKA (Authentication and Key Agreement), an enhanced version of the AKA protocol already used by 3G and 4G networks.

February 1 is change your password day, an annual “holiday” established back in 2012, according to a blog post from Gizmodo, as a way to get a wide collection of end users to change their passwords together. Over the course of the past seven years, though, passwords have continued to create enormous risks to enterprise

by John E Dunn How many user credentials have fallen into the hands of criminals during a decade of data breaches? Earlier this month, the Have I Been Pwned? (HIBP) website offered a partial answer to that question by uploading something called Collection #1, a database of 773 million unique email addresses discovered circulating on

Two years after President Trump taking office, the Foundation for Defense of Democracies has issued its midterm assessment, The Trump Administration’s Foreign and National Security Policies, which looks in part at the administration’s cyber policies and the advances therein. Authored by Annie Fixler, deputy director for the Center on Cyber and Technology Innovation (CCTI), and David Maxwell,

by Paul Ducklin A recent bug in a very widely used Linux system tool called systemd has just been turned into a published exploit by a US cybersecurity company called Capsule8. The systemd project is a large, complex and popular – but also controversial – toolkit used by many mainstream Linux distros to handle system