S2 Ep42: Apple auth attack, Octopus Scanner, Escobar escapades – Naked Security podcast
by Alice Violet on June 5, 2020 at 15:18
The latest Naked Security podcast is out now!
Botnet blasts WordPress sites with configuration download attacks
by Paul Ducklin on June 5, 2020 at 14:35
A million sites attacked by 20,000 different computers.
You DID change your password after that data breach, didn’t you?
by Paul Ducklin on June 4, 2020 at 17:36
Apparently, some people consider their passwords "invincible", even after a data breach. Don't be those people.
Mozilla fixes high‑risk Firefox flaws, bug in DoH feature
by Tomáš Foltýn on June 4, 2020 at 16:43
The browser maker rolls out updates on back-to-back days, including a patch to avoid unintentionally overloading DNS providers The post Mozilla fixes high‑risk Firefox flaws, bug in DoH feature appeared first on WeLiveSecurity
Nuclear missile contractor hacked in Maze ransomware attack
by Lisa Vaas on June 4, 2020 at 11:54
Attackers hacked and encrypted the computers of a contractor whose clients include the US military, government agencies and major military contractors.
Google deletes Indian app that deleted Chinese apps
by Danny Bradbury on June 4, 2020 at 09:38
Google has deleted an app from the Play Store that offered to delete Android software associated with China.
Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion
by BrianKrebs on June 3, 2020 at 22:00
An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico's top tourist destinations disrupted their highly profitable business, which raked in an estimated $20 million a month and enjoyed the protection of top Mexican authorities.
Firefox fixes cryptographic data leakage in latest security update
by Paul Ducklin on June 3, 2020 at 16:37
How time flies - the latest four-weekly Firefox update is out.
Making the Advanced Protection Program and Titan Security Keys easier to use on Apple iOS devices
by Sarah O'Rourke on June 3, 2020 at 16:00
Posted by Christiaan Brand, Product Manager, Google Cloud Starting today, we’re rolling out a change that enables native support for the W3C WebAuthn implementation for Google Accounts on Apple devices running iOS 13.3 and above. This capability, available for both personal and work Google Accounts, simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the Advanced Protection Program.Using an NFC security key on iPhoneMore security key choices for usersBoth the USB-A and Bluetooth Titan Security Keys have NFC functionality built-in. This allows you to tap your key to the back of your iPhone when prompted at sign-in.You can use a Lightning security key like the YubiKey 5Ci or any USB security key if you have an Apple Lightning to USB Camera Adapter.You can plug a USB-C security key in directly to an iOS device that has a USB-C port (such as an iPad Pro).We suggest installing the Smart Lock app in order to use Bluetooth security keys and your phone’s built-in security key, which allows you to use your iPhone as an additional security key for your Google Account.In order to add your Google Account to your iOS device, navigate to “Settings > Passwords & Accounts” on your iOS device or install the Google app and sign in.Account security best practicesWe highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program. If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.You can also use security keys for any site where FIDO security keys are supported for 2FA, including your personal or work Google Account, 1Password, Bitbucket, Bitfinex, Coinbase, Dropbox, Facebook, GitHub, Salesforce, Stripe, Twitter, and more.
VMware flaw allows takeover of multiple private clouds
by John E Dunn on June 3, 2020 at 15:23
VMWare’s VMware Cloud Director has a security flaw that researchers believe could be exploited to compromise multiple customer accounts using the same cloud infrastructure.
Amtrak breached, some customers’ logins and PII potentially exposed
by Lisa Vaas on June 3, 2020 at 15:09
The US rail service hasn't disclosed the number of passengers affected in a 16 April breach.
Facebook now lets you delete old posts in bulk
by Tomáš Foltýn on June 3, 2020 at 14:57
Dealing with skeletons lurking in your Facebook closet has never been easier The post Facebook now lets you delete old posts in bulk appeared first on WeLiveSecurity
We won! Naked Security scoops “Legends of security” award
by Paul Ducklin on June 3, 2020 at 07:54
We're absolutely delighted - delighted and proud! - to report that we won not one but two awards at last night's European Security Blogger Awards 2020.
REvil Ransomware Gang Starts Auctioning Victim Data
by BrianKrebs on June 2, 2020 at 18:04
The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up -- and publicly shaming those don't. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic.
The mystery of the expiring Sectigo web certificate
by Paul Ducklin on June 2, 2020 at 16:48
If you're getting TLS connection errors that suddenly started this weekend, a tired old encryption library might be the problem.