Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint. Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the

by Paul Ducklin Today is World Password Day, and that means it’s a day that’s all about caring and sharing… …but WITHOUT THE SHARING! We made a short video to catch your attention: (Watch directly on YouTube if the video won’t play here.) None of the passwords in the video seem truly terrible – there’s

Cyber-attacks in the UK grew by an alarming 140% in 2018, according to a cyber-threat landscape report by eSentire that discusses the most impacted industries in the UK and which types of attacks were the most successful. Attacks on IoT devices have also seen significant growth, with “a growing trend in IoT exploits targeting cameras, door

by Maria Varmazis Our whole lives and livelihoods are wrapped up in our data. That data is especially vulnerable at border crossings and in unfamiliar environments. There are plenty of security products available on the internet for the privacy-minded traveler – if you feel like going shopping, a quick search will turn those up for

Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC). The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with

by Danny Bradbury When is an address bar not an address bar? When it’s a fake. Security researcher James Fisher has run across a sneaky attack that could fool unwitting mobile users into browsing a phishing site with an address bar displaying a legitimate URL. The trick exploits the way that the Android version of

App developer DO Global, a Chinese developer partly owned by Baidu that generates over a half billion installs, has been banned from Google Play after the store received reports the apps were part of an ad fraud scheme, according to BuzzFeed News. As of April 26, 46 apps from DO Global had reportedly been removed from

by John E Dunn After more than 20 years of steady improvement, the US National Institute of Standards and Technology (NIST) thinks it has reached an important milestone with something called Combinatorial Coverage Measurement (CCM). Part of a research toolkit called Automated Combinatorial Testing for Software (ACTS), CCM is an algorithmic approach used to test software

After Facebook alerted the Data Protection Commission (DPC) that it had found hundreds of millions of user passwords stored in its internal servers in plain text format, DPC launched an investigation to determine whether the company had acted in compliance with the General Data Protection Regulation (GDPR), according to an April 25 press release. According

by John E Dunn What is it about a secure password that makes us think it’s secure? Traditionally, for businesses it’s been things like complexity, minimum length, avoiding known bad passwords, and how often passwords are changed to counter the possibility of undetected compromise. And yet, recently, the last of those orthodoxies – password expiration

The Hong Kong branch of Amnesty International has reportedly been the target of a sophisticated state-sponsored attack believed to have been carried out by a group of hostile threat actors within the Chinese government. An April 25 press release from Amnesty International said the cyber-attack was detected on March 15, 2019, after monitoring tools identified

by Lisa Vaas True, we accidentally swapped fingerprints for Danish citizens’ left and right hands on their passports, but it probably won’t cause much grief for these 228,000 people, said the head of Kube Data, which encoded the biometric data on the passports’ microprocessors. The Copenhagen Post quoted Jonathan Jørgensen: It’s difficult to imagine that

After years of requesting a seat at the table, cybersecurity professionals are starting to feel that they see eye to eye with their stakeholders, according to a new report. The AT&T cybersecurity report surveyed 733 security experts at the RSA 2019 conference and found that the vast majority of respondents feel mostly or somewhat in

by Danny Bradbury The National Security Agency (NSA) has asked to end its mass phone surveillance program because the work involved outweighs its intelligence value, according to reports this week. Sources told the Wall Street Journal that the NSA has recommended the White House terminates its call data records (CDR) program. The logistics of operating

A new law in Washington expanded regulations that mandate when consumers must be notified if a malicious actor gains access to their private data, according to a press release from the state’s office of the attorney general (AG). In response to AG Bob Ferguson’s request for legislators to strengthen the state’s data breach notification laws,

by Paul Ducklin A US security researcher has come up with an open-source Windows backdoor that is loosely based on NSA attack code that leaked back in 2017 as part of the the infamous Shadow Brokers breach. The researcher, who goes by @zerosum0x0 online and Sean Dillon in real life, has dubbed his new malware

Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018. The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number

by Danny Bradbury Malware isn’t the only toxin you can deliver to a computer via a USB key. Just ask Vishwanath Akuthota, who faces a potential ten-year stretch after frying at least 66 computers at his former college. Akuthota originally pled not guilty to intentionally damaging a protected computer at the College of St. Rose, in

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist. The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the

by Paul Ducklin Nokia’s funky new phone, known as the Nokia 9 PureView, has some very cool features. Five of them, in fact – five cameras, arranged on the back of the phone like a spider’s eye, capturing 12 megapixels each to make the device a snapper’s delight. The Nokia 9 also includes a fingerprint

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot “go back to pen and paper. … If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled.” The comments follow information coming into the open regarding data breaches, one

by Paul Ducklin Last week we wrote about “ransomware from afar” – attacks in which cybercrooks apparently aim ransomware at you across the internet. Whether they hack someone else’s computer on which to run the malware program, or deliberately set up a sacrificial laptop or virtual machine (software-based computer) of their own, the outcome is

Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016.  In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were

by Paul Ducklin The featured image comes from @MalwareTechBlog, the Twitter feed of Marcus Hutchins.Louise Mensch is an independent British/American journalist. Remember the reluctant WannaCry hero? WannaCry was ransomware that made big headlines in mid-2017 for two important reasons. First, it was a true computer worm, or virus, that automatically propagated itself to the next

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes.  On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a “malicious software attack” on its network but as of press time hasn’t released any

by Lisa Vaas User privacy is super-duper important, Facebook has said publicly for years out of one side of its mouth, while on the other side it’s been whispering to third-party app developers to come on in and feast – this user data is tasty. Well, that’s confusing, its own employees have said, according to

After two years of investigating, yesterday Robert S. Mueller III finally released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election. The 448-page report looks into Russian interference specifically but also into any individuals in the US that may have been involved.  Appointed in May 2017 as Special Counsel to the

by Paul Ducklin About a month ago, Facebook owned up to a programming blunder that’s been a top-of-the-list coding “no-no” for decades. The social networking behemoth admitted that it had been logging some passwords in plaintext, saving a record of exactly what your password was, character by character, rather than just keeping a cryptographic hash

A security researcher identified eight unsecured databases that held “approximately 60 million records of LinkedIn user information.” GDI Foundation, where the security researcher is from, is a nonprofit organization with a mission to “defend the free and open Internet by trying to make it safer.” The researcher, Sanyam Jain, contacted Bleeding Computer when he noticed “something

by Paul Ducklin Imagine that you’ve been hit by ransomware. All your data files are scrambled, you’re staring at a ransom note demanding $1000, and you’re thinking, “I wish I hadn’t put off updating that cybersecurity software.” When the dust has settled – hopefully after you’ve restored from your latest backup rather than by paying