Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”

By Paul Ducklin — April 27^th 2022 at 15:22

You might not like the headline statistics in this year's ransomware report... but that makes it even more important to take a look!

Naked Security

QNAP warns of new bugs in its Network Attached Storage devices

By Paul Ducklin — April 22^nd 2022 at 15:15

Here's what you need to know - plus some sensible advice for all the devices on your home or small biz network!

nas-1200

Naked Security

S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]

By Paul Ducklin — April 21^st 2022 at 13:41

Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode - listen now!

Naked Security

Critical cryptographic Java security blunder patched – update now!

By Paul Ducklin — April 20^th 2022 at 16:43

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Naked Security

Beanstalk cryptocurrency heist: scammer votes himself all the money

By Paul Ducklin — April 19^th 2022 at 16:00

Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.

Naked Security

Yet another Chrome zero-day emergency update – patch now!

By Paul Ducklin — April 16^th 2022 at 00:33

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

Naked Security

S3 Ep78: Darkweb hydra, Ruby, quantum computing, and a robot revolution [Podcast]

By Paul Ducklin — April 14^th 2022 at 13:39

Latest episode - listen now!

Naked Security

Hospital robot system gets five critical security holes patched

By Paul Ducklin — April 12^th 2022 at 18:58

Fortunately, we're not talking about a robot revolution, or about hospital AI run amuck. But these bugs could lead to ransomware, or worse...

Naked Security

Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!

By Paul Ducklin — April 8^th 2022 at 15:38

A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.

ruby-1200

Naked Security

S3 Ep77: Bugs, busts and old-school PDP-11 hacking [Podcast]

By Paul Ducklin — April 7^th 2022 at 12:24

Latest episode - listen now! Cybersecurity news and advice in plain English.

Naked Security

Firefox 99 is out – no major bugs, but update anyway!

By Paul Ducklin — April 5^th 2022 at 16:21

Firefox's four-weekly updates just dropped - here's what you need to know.

Naked Security

Google’s monthly Android updates patch numerous “get root” holes

By Paul Ducklin — April 5^th 2022 at 14:44

Get the update now... if it's available for your phone. Here's how to check.

android-1200

Naked Security

Apple pushes out two emergency 0-day updates – get ’em now!

By Paul Ducklin — March 31^st 2022 at 23:38

More Apple zero-days - mobile devices, laptops and desktops affected. Update now!

apple-1200

Naked Security

S3 Ep76: Deadbolt, LAPSUS$, Zlib, and a Chrome 0-day [Podcast]

By Paul Ducklin — March 31^st 2022 at 13:38

Latest episode - listen now!

Naked Security

Zlib data compressor fixes 17-year-old security bug – patch, errrm, now

By Paul Ducklin — March 29^th 2022 at 16:37

This code is venerable! Surely all the bugs must be out by now?

Naked Security

Google Chrome patches mysterious new zero-day bug – update now

By Paul Ducklin — March 28^th 2022 at 14:18

CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!

Naked Security

S3 Ep75: Okta hack, CryptoRom, OpenSSL, and CafePress [Podcast]

By Paul Ducklin — March 24^th 2022 at 13:49

Latest episode - listen now!

Naked Security

Serious Security: DEADBOLT – the ransomware that goes straight for your backups

By Paul Ducklin — March 23^rd 2022 at 19:58

Some tips on how to keep your network safe - even (or perhaps especially!) if you think you're safe already.

Naked Security

OpenSSL patches infinite-loop DoS bug in certificate verification

By Paul Ducklin — March 18^th 2022 at 17:59

When it comes to writing loops in your code... never sit on the fence!

Naked Security

S3 Ep74: Cybercrime busts, Apple patches, Pi Day, and disconnect effects [Podcast]

By Paul Ducklin — March 17^th 2022 at 13:32

Latest episode - listen now!

Naked Security

CISA warning: “Russian actors bypassed 2FA” – what happened and how to avoid it

By Paul Ducklin — March 16^th 2022 at 01:22

Don't leave old accounts lying around where someone sketchy could reactivate them.

Naked Security

Apple patches 87 security holes – from iPhones and Macs to Windows

By Paul Ducklin — March 15^th 2022 at 16:36

Lots of fixes, with data leakage flaws and code execution bugs patched on iPhones, Macs and even Windows.

apple-1200

Naked Security

S3 Ep73: Ransomware with a difference, dirty Linux pipes, and much more [Podcast + Transcript]

By Paul Ducklin — March 10^th 2022 at 19:37

Latest episode - listen now!

Naked Security

“Dirty Pipe” Linux kernel bug lets anyone write to any file

By Paul Ducklin — March 8^th 2022 at 19:37

Even read-only files can be written to, leading to a dangerously general purpose elevation-of-privilege attack.

pipe-1200

Naked Security

Adafruit suffers GitHub data breach – don’t let this happen to you

By Paul Ducklin — March 7^th 2022 at 12:47

Training data stashed in GitHub by mistake... unfortunately, it was *real* data

Naked Security

Firefox patches two actively exploited 0-day holes: update now!

By Paul Ducklin — March 5^th 2022 at 19:06

Firefox just published a double-zero-day patch - "remote code execution" combined with "sandbox escape". Update now!

Naked Security

S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

By Paul Ducklin — March 3^rd 2022 at 14:04

Latest episode - listen now (or read it, if that's your preference)...

Naked Security

Ransomware with a difference: “Derestrict your software, or else!”

By Paul Ducklin — March 2^nd 2022 at 16:33

"Change your code to improve cryptomining"... or we'll dump 1TB of stolen secrets.

Naked Security

S3 Ep71: VMware escapes, PHP holes, WP plugin woes, and scary scams [Podcast + Transcript]

By Paul Ducklin — February 24^th 2022 at 16:51

Latest episode - listen now!

Naked Security

WordPress backup plugin maker Updraft says “You should update”…

By Paul Ducklin — February 22^nd 2022 at 17:26

A straight-talking bug report written in plain English by an actual expert - there's a teachable moment in this cybersecurity story!

Naked Security

French speakers blasted by sextortion scams with no text or links

By Paul Ducklin — February 21^st 2022 at 17:59

You'd spot this one a mile away... but what about your friends or family?

Naked Security

Irony alert! PHP fixes security flaw in input validation code

By Paul Ducklin — February 18^th 2022 at 17:59

What's wrong with this sequence? 1. Step into the road 2. Check if it's safe 3. Keep on walki...

Naked Security

S3 Ep70: Bitcoin, billing blunders, and 0-day after 0-day after 0-day [Podcast + Transcript]

By Paul Ducklin — February 17^th 2022 at 17:12

Latest episode - listen and learn!

Naked Security

VMware fixes holes that could allow virtual machine escapes

By Paul Ducklin — February 16^th 2022 at 19:32

Hats off to VMware for not using weasel words: "When should you act?" Immediately...

Naked Security

Google announces zero-day in Chrome browser – update now!

By Paul Ducklin — February 15^th 2022 at 19:17

Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

Naked Security

Adobe fixes zero-day exploit in e-commerce code: update now!

By Paul Ducklin — February 14^th 2022 at 22:38

There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

Naked Security

Power company pays out $3 trillion compensation to astonished customer

By Paul Ducklin — February 14^th 2022 at 14:58

More money than the UK's economy produces in a year!

Naked Security

Apple zero-day drama for Macs, iPhones and iPads – patch now!

By Paul Ducklin — February 11^th 2022 at 14:25

Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

apple-1200

Naked Security

S3 Ep69: WordPress woes, Wormhole holes, and a Microsoft change of heart [Podcast + Transcript]

By Paul Ducklin — February 10^th 2022 at 01:15

Latest episode - listen now!

Naked Security

Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist

By Naked Security writer — February 9^th 2022 at 14:44

The cops say they've recovered 80% of a $72 million cryptocoin heist... but the recovered funds alone are now worth over $4 billion!

Naked Security

At last! Office macros from the internet to be blocked by default

By Paul Ducklin — February 8^th 2022 at 16:34

It's been a long time coming, and we're not there yet, but at least Microsoft Office will be a bit safer against macro malware...

Naked Security

Microsoft blocks web installation of its own App Installer files

By Paul Ducklin — February 7^th 2022 at 16:36

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Naked Security

S3 Ep68: Bugs, scams, privacy …and fonts?! [Podcast + Transcript]

By Paul Ducklin — February 3^rd 2022 at 16:20

Latest episode - listen now!

Naked Security

Elementor WordPress plugin has a gaping security hole – update now

By Paul Ducklin — February 2^nd 2022 at 17:11

We shouldn't need to say, "Check your inputs!" these days, but we're saying it anyway.

Naked Security

Linux kernel patches “performance can be harmful” bug in video driver

By Paul Ducklin — February 1^st 2022 at 19:59

This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.

Naked Security

Coronavirus SMS scam offers home PCR testing devices – don’t fall for it!

By Paul Ducklin — January 28^th 2022 at 23:58

Free home PCR devices would be technological marvels, and really useful, too. But there aren't any...

Naked Security

Happy Data Privacy Day – and we really do mean “happy” :-)

By Paul Ducklin — January 28^th 2022 at 15:34

We give you some simple digital lifesytle tips that cost nothing.

Naked Security

Apple fixes Safari data leak (and patches a zero-day!) – update now

By Paul Ducklin — January 27^th 2022 at 21:09

That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

apple-1200

Naked Security

S3 Ep67: Tax scams, carder busts and crypto capers [Podcast + Transcript]

By Paul Ducklin — January 27^th 2022 at 19:57

Latest episode - listen now!

Naked Security

“PwnKit” security bug gets you root on most Linux distros – what to do

By Paul Ducklin — January 26^th 2022 at 19:58

An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell

Naked Security

Tax scam emails are alive and well as US tax season starts

By Paul Ducklin — January 25^th 2022 at 17:19

If in doubt, don't give it out! (And don't forget that no reply is often a good reply.)

Naked Security

Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft

By Paul Ducklin — January 21^st 2022 at 16:25

The company has put out a brief security report that summarises the 'what', but not yet the 'how' or 'why'.

Naked Security

S3 Ep66: Cybercrime busts, wormable Windows, and the crisis of featuritis [Podcast + Transcript]

By Paul Ducklin — January 20^th 2022 at 17:28

Latest epsiode - listen now!

Naked Security

Serious Security: Apple Safari leaks private data via database API – what you need to know

By Paul Ducklin — January 18^th 2022 at 19:23

There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsing

Naked Security

S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]

By Paul Ducklin — January 13^th 2022 at 15:26

Latest episode -listen to it or read it now!

Naked Security

Wormable Windows HTTP hole – what you need to know

By Paul Ducklin — January 12^th 2022 at 16:24

One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".

Naked Security

Home routers with NetUSB support could have critical kernel hole

By Paul Ducklin — January 11^th 2022 at 17:42

Got a router that supports USB access across the network? You might need a kernel update...

Naked Security

Log4Shell-like security hole found in popular Java SQL database engine H2

By Paul Ducklin — January 7^th 2022 at 19:32

"It's Log4Shell, Jim, but not as we know it." How to find and fix a JNDI-based vuln in the H2 Database Engine.

Naked Security

S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript]

By Paul Ducklin — January 6^th 2022 at 19:44

We're back for 2022 - listen now!

Naked Security

FTC threatens “legal action” over unpatched Log4j and other vulns

By Paul Ducklin — January 5^th 2022 at 19:37

Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!