OpenSSL patches infinite-loop DoS bug in certificate verification

By Paul Ducklin — March 18^th 2022 at 17:59

When it comes to writing loops in your code... never sit on the fence!

Naked Security

S3 Ep74: Cybercrime busts, Apple patches, Pi Day, and disconnect effects [Podcast]

By Paul Ducklin — March 17^th 2022 at 13:32

Latest episode - listen now!

Naked Security

CISA warning: “Russian actors bypassed 2FA” – what happened and how to avoid it

By Paul Ducklin — March 16^th 2022 at 01:22

Don't leave old accounts lying around where someone sketchy could reactivate them.

Naked Security

Apple patches 87 security holes – from iPhones and Macs to Windows

By Paul Ducklin — March 15^th 2022 at 16:36

Lots of fixes, with data leakage flaws and code execution bugs patched on iPhones, Macs and even Windows.

apple-1200

Naked Security

S3 Ep73: Ransomware with a difference, dirty Linux pipes, and much more [Podcast + Transcript]

By Paul Ducklin — March 10^th 2022 at 19:37

Latest episode - listen now!

Naked Security

“Dirty Pipe” Linux kernel bug lets anyone write to any file

By Paul Ducklin — March 8^th 2022 at 19:37

Even read-only files can be written to, leading to a dangerously general purpose elevation-of-privilege attack.

pipe-1200

Naked Security

Adafruit suffers GitHub data breach – don’t let this happen to you

By Paul Ducklin — March 7^th 2022 at 12:47

Training data stashed in GitHub by mistake... unfortunately, it was *real* data

Naked Security

Firefox patches two actively exploited 0-day holes: update now!

By Paul Ducklin — March 5^th 2022 at 19:06

Firefox just published a double-zero-day patch - "remote code execution" combined with "sandbox escape". Update now!

Naked Security

S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

By Paul Ducklin — March 3^rd 2022 at 14:04

Latest episode - listen now (or read it, if that's your preference)...

Naked Security

Ransomware with a difference: “Derestrict your software, or else!”

By Paul Ducklin — March 2^nd 2022 at 16:33

"Change your code to improve cryptomining"... or we'll dump 1TB of stolen secrets.

Naked Security

S3 Ep71: VMware escapes, PHP holes, WP plugin woes, and scary scams [Podcast + Transcript]

By Paul Ducklin — February 24^th 2022 at 16:51

Latest episode - listen now!

Naked Security

WordPress backup plugin maker Updraft says “You should update”…

By Paul Ducklin — February 22^nd 2022 at 17:26

A straight-talking bug report written in plain English by an actual expert - there's a teachable moment in this cybersecurity story!

Naked Security

French speakers blasted by sextortion scams with no text or links

By Paul Ducklin — February 21^st 2022 at 17:59

You'd spot this one a mile away... but what about your friends or family?

Naked Security

Irony alert! PHP fixes security flaw in input validation code

By Paul Ducklin — February 18^th 2022 at 17:59

What's wrong with this sequence? 1. Step into the road 2. Check if it's safe 3. Keep on walki...

Naked Security

S3 Ep70: Bitcoin, billing blunders, and 0-day after 0-day after 0-day [Podcast + Transcript]

By Paul Ducklin — February 17^th 2022 at 17:12

Latest episode - listen and learn!

Naked Security

VMware fixes holes that could allow virtual machine escapes

By Paul Ducklin — February 16^th 2022 at 19:32

Hats off to VMware for not using weasel words: "When should you act?" Immediately...

Naked Security

Google announces zero-day in Chrome browser – update now!

By Paul Ducklin — February 15^th 2022 at 19:17

Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

Naked Security

Adobe fixes zero-day exploit in e-commerce code: update now!

By Paul Ducklin — February 14^th 2022 at 22:38

There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

Naked Security

Power company pays out $3 trillion compensation to astonished customer

By Paul Ducklin — February 14^th 2022 at 14:58

More money than the UK's economy produces in a year!

Naked Security

Apple zero-day drama for Macs, iPhones and iPads – patch now!

By Paul Ducklin — February 11^th 2022 at 14:25

Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

apple-1200

Naked Security

S3 Ep69: WordPress woes, Wormhole holes, and a Microsoft change of heart [Podcast + Transcript]

By Paul Ducklin — February 10^th 2022 at 01:15

Latest episode - listen now!

Naked Security

Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist

By Naked Security writer — February 9^th 2022 at 14:44

The cops say they've recovered 80% of a $72 million cryptocoin heist... but the recovered funds alone are now worth over $4 billion!

Naked Security

At last! Office macros from the internet to be blocked by default

By Paul Ducklin — February 8^th 2022 at 16:34

It's been a long time coming, and we're not there yet, but at least Microsoft Office will be a bit safer against macro malware...

Naked Security

Microsoft blocks web installation of its own App Installer files

By Paul Ducklin — February 7^th 2022 at 16:36

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Naked Security

S3 Ep68: Bugs, scams, privacy …and fonts?! [Podcast + Transcript]

By Paul Ducklin — February 3^rd 2022 at 16:20

Latest episode - listen now!

Naked Security

Elementor WordPress plugin has a gaping security hole – update now

By Paul Ducklin — February 2^nd 2022 at 17:11

We shouldn't need to say, "Check your inputs!" these days, but we're saying it anyway.

Naked Security

Linux kernel patches “performance can be harmful” bug in video driver

By Paul Ducklin — February 1^st 2022 at 19:59

This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.

Naked Security

Coronavirus SMS scam offers home PCR testing devices – don’t fall for it!

By Paul Ducklin — January 28^th 2022 at 23:58

Free home PCR devices would be technological marvels, and really useful, too. But there aren't any...

Naked Security

Happy Data Privacy Day – and we really do mean “happy” :-)

By Paul Ducklin — January 28^th 2022 at 15:34

We give you some simple digital lifesytle tips that cost nothing.

Naked Security

Apple fixes Safari data leak (and patches a zero-day!) – update now

By Paul Ducklin — January 27^th 2022 at 21:09

That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

apple-1200

Naked Security

S3 Ep67: Tax scams, carder busts and crypto capers [Podcast + Transcript]

By Paul Ducklin — January 27^th 2022 at 19:57

Latest episode - listen now!

Naked Security

“PwnKit” security bug gets you root on most Linux distros – what to do

By Paul Ducklin — January 26^th 2022 at 19:58

An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell

Naked Security

Tax scam emails are alive and well as US tax season starts

By Paul Ducklin — January 25^th 2022 at 17:19

If in doubt, don't give it out! (And don't forget that no reply is often a good reply.)

Naked Security

Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft

By Paul Ducklin — January 21^st 2022 at 16:25

The company has put out a brief security report that summarises the 'what', but not yet the 'how' or 'why'.

Naked Security

S3 Ep66: Cybercrime busts, wormable Windows, and the crisis of featuritis [Podcast + Transcript]

By Paul Ducklin — January 20^th 2022 at 17:28

Latest epsiode - listen now!

Naked Security

Serious Security: Apple Safari leaks private data via database API – what you need to know

By Paul Ducklin — January 18^th 2022 at 19:23

There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsing

Naked Security

S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]

By Paul Ducklin — January 13^th 2022 at 15:26

Latest episode -listen to it or read it now!

Naked Security

Wormable Windows HTTP hole – what you need to know

By Paul Ducklin — January 12^th 2022 at 16:24

One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".

Naked Security

Home routers with NetUSB support could have critical kernel hole

By Paul Ducklin — January 11^th 2022 at 17:42

Got a router that supports USB access across the network? You might need a kernel update...

Naked Security

Log4Shell-like security hole found in popular Java SQL database engine H2

By Paul Ducklin — January 7^th 2022 at 19:32

"It's Log4Shell, Jim, but not as we know it." How to find and fix a JNDI-based vuln in the H2 Database Engine.

Naked Security

S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript]

By Paul Ducklin — January 6^th 2022 at 19:44

We're back for 2022 - listen now!

Naked Security

FTC threatens “legal action” over unpatched Log4j and other vulns

By Paul Ducklin — January 5^th 2022 at 19:37

Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!

Naked Security

Apple Home software bug could lock you out of your iPhone

By Paul Ducklin — January 4^th 2022 at 17:23

The finder of this bug insists it "poses a serious risk". We're not so sure, but we recommend you take steps to avoid it anyway.

Naked Security

Log4Shell vulnerability Number Four: “Much ado about something”

By Paul Ducklin — December 29^th 2021 at 19:12

It's a Log4j bug, and you ought to patch it. But we don't think it's a critical crisis like the last one.

Naked Security

SFW! The Top N Cybersecurity Stories of 2021 (for small positive integer values of N)

By Paul Ducklin — December 24^th 2021 at 17:44

Happy Holidays! Our Top N stories, all totally SFW!

Naked Security

The cool retro phone with a REAL DIAL… plus plenty of IoT problems

By Paul Ducklin — December 23^rd 2021 at 17:58

You know you want one, because this retro phone is NOT A TOY... except when it comes to cybersecurity.

Naked Security

Plundered bitcoins recovered by FBI – all 3,879-and-one-sixth of them!

By Paul Ducklin — December 22^nd 2021 at 17:57

Phew! An audacious crime... that didn't work out.

Naked Security

Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!

By Paul Ducklin — December 21^st 2021 at 19:57

The Apache web server just got an update - this one is nothing to do with Log4j!

Naked Security

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

By Paul Ducklin — December 17^th 2021 at 17:57

Have you ever seen the message "An error occurred"? Even worse, the message "This error cannot occur"? Facts matter!

Naked Security

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

By Paul Ducklin — December 16^th 2021 at 17:41

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

Naked Security

Apple security updates are out – and not a Log4Shell mention in sight

By Paul Ducklin — December 14^th 2021 at 12:55

Get 'em while they're hot!

Naked Security

Log4Shell explained – how it works, why you need to know, and how to fix it

By Paul Ducklin — December 13^th 2021 at 19:41

Find out how to deal with the Log4Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!

Naked Security

“Log4Shell” Java vulnerability – how to safeguard your servers

By Paul Ducklin — December 10^th 2021 at 19:22

Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product

Naked Security

S3 Ep62: The S in IoT stands for security (and much more) [Podcast+Transcript]

By Paul Ducklin — December 9^th 2021 at 17:40

Listen now or read as an article! (Full transcript inside.)

Naked Security

Firefox update brings a whole new sort of security sandbox

By Paul Ducklin — December 7^th 2021 at 19:14

Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.

Naked Security

Cryptocurrency startup fails to subtract before adding, loses $31m

By Paul Ducklin — December 6^th 2021 at 19:50

Think of a number, any number. Take away 42. Add 42 back in. Then pretend you didn't take away 42. How much is left?

Naked Security

Mozilla patches critical “BigSig” cryptographic bug: Here’s how to track it down and fix it

By Paul Ducklin — December 3^rd 2021 at 17:58

Mozilla's cryptographic code had a critical bug. Problem is that numerous apps are affected and may need patching individually.

Naked Security

S3 Ep61: Call scammers, cloud insecurity, and facial recognition creepiness [Podcast+Transcript]

By Paul Ducklin — December 2^nd 2021 at 20:50

Latest episode - listen now!

Naked Security

IoT devices must “protect consumers from cyberharm”, says UK government

By Paul Ducklin — December 2^nd 2021 at 19:10

"Must be at least THIS tall to go on ride" seems to be the starting point. Too little, too late? Or better than nothing?

Naked Security

Clearview AI face-matching service set to be fined over $20m

By Paul Ducklin — November 30^th 2021 at 19:13

Scraping data for a facial recognition service? "That's unlawful", concluded both the British and the Australians.