France’s digital privacy regulator, the Commission nationale de l’informatique et des libertés (CNIL), announced on December 22, 2022 it had fined US tech giant Microsoft €60m ($64m), its largest this year, over advertising cookies. The CNIL found that Microsoft’s search engine, Bing, had not set up a system allowing users to refuse cookies as simply
Month: December 2022
by Paul Ducklin It’s the last regular working weekday of 2022 (in the UK and the US, at least), in the unsurprisingly relaxed and vacationistic gap between Christmas and New Year… …so you were probably expecting us to come up either with a Coolest Stories Of The Year In Review listicle, or with a What
Dec 30, 2022Ravie LakshmananPatch Management The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two years-old security flaws impacting TIBCO Software’s JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April
What are some of the key cybersecurity trends and themes that organizations should have on their radars in 2023? As another eventful year comes to a close, it’s time not only to take stock of and reflect on the defining moments of 2022, but especially to look ahead to the challenges that are likely to
The global political unrest from this year will seep into 2023 with serious ramifications for the security industry, according to Infosecurity Europe’s community of cybersecurity leaders. However, with stricter regulations and developments in Artificial Intelligence (AI) and Machine Learning (ML), CISOs may be in a stronger position to minimise threats next year. The organisers of
by Paul Ducklin These days, almost every decent app, along with some that are half-decent (as well as a few that aren’t very good at all) will offer you tabbed whateveritis. Even command windows, which used to be just what they said (windows in which one – and only one – command shell was running),
Dec 30, 2022Ravie LakshmananBug Bounty / Privacy A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws “allowed an attacker within wireless proximity to install a ‘backdoor’ account on the device,
The past year has seen no shortage of disruptive cyberattacks – here’s a round-up of some of the worst hacks and breaches that have impacted a variety of targets around the world in 2022 The past year has seen the global economy lurch from one crisis to another. As COVID-19 finally began to recede in
Geopolitics will continue to have an impact on cybersecurity and the security posture of organizations long into 2023. The impact of global conflicts on cybersecurity was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognize that with this came the threat of Russian-backed
by Paul Ducklin Remember quantum computing, and the quantum computers that make it possible? Along with superstrings, dark matter, gravitons and controlled fusion (hot or cold), quantum computing is a concept that many people have heard of, even if they know little more about any of these topics than their names. Some us are vaguely
Dec 29, 2022Ravie LakshmananServer Security / Citrix Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8
Happy Download Day! (Yes, there’s a day for that.) Today is an excellent day to share downloading best practices to keep all your devices safe from malicious content. It’s tempting to download “free” shows, movies, and video games, but the consequences of doing so can be quite expensive. All it takes is for one malicious
The FBI has warned that cyber-criminals are using search engine advertisement services to defraud the public. The public service announcement, issued on December 21, 2022, stated that threat actors are purchasing these ad services to impersonate brands for the purpose of luring users to malicious websites. These sites, which “look identical to the impersonated business’s
by Paul Ducklin Just before the Christmas weekend – in fact, at about the same time that beleaguered password management service LastPass was admitting that, yes, your password vaults were stolen by criminals after all – we noticed a serious-sounding Linux kernel vulnerability that hit the news. The alerts came from Trend Micro’s Zero Day
Dec 28, 2022Ravie LakshmananBlockchain / Android Malware Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyberattack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users’ digital currencies. “With maliciously implanted code, the altered APK led to the leak of user’s private keys and enabled the
There are no ifs, ands, or buts about it: A stolen identity creates a mess. Once they have a few key pieces of personally identifiable information (PII), an identity thief can open new credit lines, create convincing new identities, and ruin an innocent person’s good credit. If you suspect you’ve been affected by identity theft,
A prolific botnet that spreads primarily through IoT and web application vulnerabilities has added new exploits and attack capabilities, Microsoft has warned. Zerobot (aka ZeroStresser) is a Go-based botnet sold on the cybercrime underground via a malware-as-a-service model, which makes it relatively easy for its developers to update functionality regularly. Mainly used for distributed denial
Dec 27, 2022Ravie LakshmananData Security / Privacy Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018. The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica
Password management giant LastPass has revealed that hackers that breached the firm in August made off with encrypted customer vault data and unencrypted account information. The update comes after the firm originally said that the incident only resulted in a breach of “source code and some proprietary LastPass technical information.” Then at the end of
Dec 26, 2022Ravie LakshmananReverse Engineering Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. “New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings,” CrowdStrike researchers Sarang Sonawane and Donato Onofri
‘It’s the most wonderful time of year’ – we’ve all heard the jingles and read the slogans. But the holiday season can also be a little overwhelming when you’re the one ‘in charge’. Whether it’s prepping for the inevitable influx of new devices, buying the gifts or booking the holiday – there are a lot
US President Joe Biden has signed the Quantum Computing Cybersecurity Preparedness Act into law this week (December 21, 2022). The law is designed to secure the federal government systems and data against the threat of quantum-enabled data breaches, ahead of ‘Q Day’ – the point at which quantum computers are able to break existing cryptographic
Dec 24, 2022Ravie LakshmananSoftware Security / Supply Chain Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer,
The number of new viruses grows every day. In fact, McAfee registers an average of 1.1 million new malicious programs and potentially unwanted apps (PUA) each day, which contributes to the millions and millions already in existence. While there is no way to know when or how cyberattacks will occur, it’s clear that antivirus software
What was just a rumor has been confirmed: employees of ByteDance, the China-based company that owns TikTok and its Chinese counterpart Douyin, accessed data from TikTok to track a Financial Times reporter and a former BuzzFeed reporter in a bid to identify the source of leaks to the media, ByteDance’s general counsel Erich Andersen admitted
by Paul Ducklin Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022. Details of how the attackers first got in are still scarce, with LastPass’s first official comment cautiously stating that: [A]n unauthorized party gained access to portions of the LastPass development environment through
Dec 23, 2022Ravie LakshmananEncryption / Privacy / Browser The developers behind the Brave open-source web browser have revealed a new privacy-preserving data querying and retrieval system called FrodoPIR. The idea, the company said, is to use the technology to build out a wide range of use cases such as safe browsing, scanning passwords against breached
The UK’s data protection watchdog has hit out at several newspaper editors for misrepresenting the nature of a draft code of practice for journalists. The Information Commissioner’s Office (ICO) is currently working with the media industry to develop a Journalism Code of Practice. The aim is to help journalists meet their statutory data protection obligations,
by Paul Ducklin STOP THE CROOKS BEFORE THEY STOP YOU! Paul Ducklin talks to world-renowned cybersecurity expert Fraser Howard, Director of Research at SophosLabs, in this fascinating episode, recorded during our recent Security SOS Week 2022. When it comes to fighting cybercrime, Fraser truly is a “specialist in everything”, and he also has the knack
Dec 23, 2022Ravie LakshmananCyber Espionage / Pakistani Hackers A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that’s used by Indian government officials. Cybersecurity firm Securonix dubbed the activity STEPPY#KAVACH, attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks. “.LNK files are
- 1
- 2
- 3
- 4
- Next Page »