TikTok “Invisible Challenge” porn malware puts us all at risk

By Paul Ducklin — November 29^th 2022 at 19:58

An injury to one is an injury to all. Especially if the other people are part of your social network.

Naked Security

Chrome fixes 8th zero-day of 2022 – check your version now (Edge too!)

By Paul Ducklin — November 28^th 2022 at 19:42

There isn't a rhyme to remind you which months have browser zero-days... you just have to keep your eyes and ears open!

Naked Security

Voice-scamming site “iSpoof” seized, 100s arrested in massive crackdown

By Naked Security writer — November 25^th 2022 at 19:17

Those numbers or names that pop up when a call comes up? They're OK as a hint of who's calling, but THEY PROVE NOTHING

Naked Security

S3 Ep110: Spotlight on cyberthreats – an expert speaks [Audio + Text]

By Paul Ducklin — November 24^th 2022 at 16:52

Latest episode - security expert John Shier explains what the real-life cybercrime stories in the Sophos Threat Report can teach us

Naked Security

How to hack an unpatched Exchange server with rogue PowerShell code

By Paul Ducklin — November 22^nd 2022 at 19:54

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

Naked Security

S3 Ep109: How one leaked email password could drain your business [Audio + Transcript]

By Paul Ducklin — November 17^th 2022 at 17:52

Latest episode - listen now! Cybersecurity news plus loads of great advice...

Naked Security

Firefox fixes fullscreen fakery flaw – get the update now!

By Paul Ducklin — November 16^th 2022 at 19:51

What's so bad about a web page going fullscreen without warning you first?

Naked Security

Log4Shell-like code execution hole in popular Backstage dev tool

By Paul Ducklin — November 15^th 2022 at 17:49

Good old "string templating", also known as "string interpolation", in the spotlight again...

bs-1200

Naked Security

S3 Ep108: You hid THREE BILLION dollars in a popcorn tin?

By Paul Ducklin — November 10^th 2022 at 17:26

Patches, busts, leaks and why even low-likelihood exploits can be high-severity risks - listen now!

Naked Security

Emergency code execution patch from Apple – but not an 0-day

By Paul Ducklin — November 10^th 2022 at 01:49

Not a zero-day, but important enough for a quick-fire patch to one system library...

Naked Security

Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!

By Paul Ducklin — November 9^th 2022 at 19:58

In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?

Naked Security

Silk Road drugs market hacker pleads guilty, faces 20 years inside

By Paul Ducklin — November 8^th 2022 at 19:58

Jurisprudence isn't like arithmetic... two negatives never make a positive!

Naked Security

Twitter Blue Badge email scams – Don’t fall for them!

By Naked Security writer — November 4^th 2022 at 17:59

That was the week that was...

Naked Security

S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text]

By Paul Ducklin — November 3^rd 2022 at 17:51

Listen now - latest episode - audio plus full transcript

Naked Security

The OpenSSL security update story – how can you tell what needs fixing?

By Paul Ducklin — November 3^rd 2022 at 00:44

How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...

ossl-code-1200

Naked Security

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!

By Paul Ducklin — November 1^st 2022 at 17:24

That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...

Naked Security

SHA-3 code execution bug patched in PHP – check your version!

By Paul Ducklin — November 1^st 2022 at 14:09

As everyone waits for news of a bug in OpenSSL, here's a reminder that other cryptographic code in your life may also need patching!

Naked Security

Chrome issues urgent zero-day fix – update now!

By Paul Ducklin — October 29^th 2022 at 15:08

We've said it before/And we'll say it again/It's not *if* you should patch/It's a matter of *when*. (Hint: now!)

Naked Security

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

By Paul Ducklin — October 28^th 2022 at 18:04

Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

Naked Security

S3 Ep106: Facial recognition without consent – should it be banned?

By Paul Ducklin — October 27^th 2022 at 16:59

Latest episode - listen (or read) now. Teachable moments for X-Ops professionals!

Naked Security

Clearview AI image-scraping face recognition service hit with €20m fine in France

By Paul Ducklin — October 26^th 2022 at 00:50

"We told you to stop but you ignored us," said the French regulator, "so now we're coming after you again."

Naked Security

Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!

By Paul Ducklin — October 25^th 2022 at 18:03

Ventura hits the market with 112 patches, Catalina's gone missing, and iPhones and iPads get a critical kernel-level zero-day patch...

Naked Security

S3 Ep105: WONTFIX! The MS Office cryptofail that “isn’t a security flaw” [Audio + Text]

By Paul Ducklin — October 20^th 2022 at 18:54

The coolest video game ever! And lots of solid cybersecurity advice - listen now!

pic-1200

Naked Security

Zoom for Mac patches sneaky “spy-on-me” bug – update now!

By Paul Ducklin — October 18^th 2022 at 18:01

Hey! That back door isn't supposed to be there at all, let alone propped open...

Naked Security

Dangerous hole in Apache Commons Text – like Log4Shell all over again

By Paul Ducklin — October 18^th 2022 at 17:26

Third time unlucky. Time to put your patching boots on again...

act-1200

Naked Security

S3 Ep104: Should hospital ransomware attackers be locked up for life? [Audio + Text]

By Paul Ducklin — October 13^th 2022 at 16:37

Have your say on three deep questions posed by this week's podcast. Read or listen as suits you best...

Naked Security

Patch Tuesday in brief – one 0-day fixed, but no patches for Exchange!

By Paul Ducklin — October 12^th 2022 at 16:58

There's a zero-day patch, but it's not for the zero-day you thought.

Naked Security

Mystery iPhone update patches against iOS 16 mail crash-attack

By Paul Ducklin — October 11^th 2022 at 00:28

The problem with crashy messaging apps is that *other people* get to choose if and when to send you messages...

Naked Security

S3 Ep103: Scammers in the Slammer (and other stories) [Audio + Text]

By Paul Ducklin — October 6^th 2022 at 14:43

Latest episode - listen and learn now (or read and revise, if the written word is your thing)...

Naked Security

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

By Paul Ducklin — October 1^st 2022 at 14:05

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

Naked Security

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

By Paul Ducklin — September 30^th 2022 at 18:25

Double-play 0-day in Exchange - what you need to know, and what you can do

Naked Security

S3 Ep102: How to avoid a data breach [Audio + Transcript]

By Paul Ducklin — September 29^th 2022 at 18:45

Latest episode - listen now! Tell fact from fiction in hyped-up cybersecurity news...

Naked Security

WhatsApp “zero-day exploit” news scare – what you need to know

By Paul Ducklin — September 27^th 2022 at 18:51

Is WhatsApp currently under active attack by cybercriminals? Is this a clear and current danger? How worried should WhatsApp users be?

Naked Security

S3 Ep101: Uber and LastPass breaches – is 2FA all it’s cracked up to be? [Audio + Text]

By Paul Ducklin — September 22^nd 2022 at 18:42

Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...

Naked Security

Interested in cybersecurity? Join us for Security SOS Week 2022!

By Paul Ducklin — September 21^st 2022 at 14:24

Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.

Naked Security

S3 Ep100.5: Uber breach – an expert speaks [Audio + Text]

By Paul Ducklin — September 17^th 2022 at 20:57

Chester Wisniewski on what we can learn from Uber: "Just because a big company didn't have the security they should doesn't mean you can't."

Naked Security

S3 Ep100: Browser-in-the-Browser – how to spot an attack [Audio + Text]

By Paul Ducklin — September 15^th 2022 at 18:50

Latest episode - listen now! Cosmic rockets, zero-days, spotting cybercrooks, and unlocking the DEADBOLT...

s3-ep100-js-1200

Naked Security

Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

By Paul Ducklin — September 13^th 2022 at 20:52

Simple but super-sneaky - use a picture of a browser, and convince people it's real...

pipe-light-not-1200

Naked Security

Apple patches zero-day holes – even in the brand new iOS 16

By Paul Ducklin — September 12^th 2022 at 21:25

Five updates, one upgrade, plus two zero-days. Patch your Macs, iPhones and iPads as soon as you can (again)...

apple-plus-16-1200

Naked Security

How to deal with dates and times without any timezone tantrums…

By Paul Ducklin — September 9^th 2022 at 18:59

Heartfelt encouragement to embrace RFC 3339 - find out why!

Naked Security

S3 Ep99: TikTok “attack” – was there a data breach, or not? [Audio + Text]

By Paul Ducklin — September 8^th 2022 at 13:21

Latest episode - listen now! (Or read if you prefer - full transcript inside.)

Naked Security

Chrome and Edge fix zero-day security hole – update now!

By Paul Ducklin — September 5^th 2022 at 15:12

This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

Naked Security

Peter Eckersley, co-creator of Let’s Encrypt, dies at just 43

By Paul Ducklin — September 4^th 2022 at 00:50

This site, like millions of others, has a certificate from Let's Encrypt. Farewell, Peter Eckersley, PhD, who helped make it all possible.

Naked Security

S3 Ep98: The LastPass saga – should we stop using password managers? [Audio + Text]

By Paul Ducklin — September 1^st 2022 at 16:55

Latest episode - listen now!

Naked Security

URGENT! Apple slips out zero-day update for older iPhones and iPads

By Paul Ducklin — August 31^st 2022 at 18:42

Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.

Naked Security

Chrome patches 24 security holes, enables “Sanitizer” safety system

By Paul Ducklin — August 31^st 2022 at 11:48

24 existing bugs fixed. And, we hope, numerous potential future bugs prevented.

Naked Security

JavaScript bugs aplenty in Node.js ecosystem – found automatically

By Paul Ducklin — August 30^th 2022 at 16:59

How to get the better of bugs in all the possible packages in your supply chain?

Naked Security

Firefox 104 is out – no critical bugs, but update anyway

By Paul Ducklin — August 26^th 2022 at 16:27

Two trust-spoofing bugs were the main culprits this month - but neither one was a zero-day.

Naked Security

S3 Ep97: Did your iPhone get pwned? How would you know? [Audio + Text]

By Paul Ducklin — August 25^th 2022 at 15:37

Latest episode - listen now! (Or read the transcript if you prefer the text version.)

Naked Security

Breaching airgap security: using your phone’s gyroscope as a microphone

By Paul Ducklin — August 24^th 2022 at 18:59

One bit per second makes the Voyager probe data rate seem blindingly fast. But it's enough to break your security assumptions...

Naked Security

Bitcoin ATMs leeched by attackers who created fake admin accounts

By Paul Ducklin — August 23^rd 2022 at 18:35

The criminals didn't implant any malware. The attack was orchestrated via malevolent configuration changes.

Naked Security

Laptop denial-of-service via music: the 1980s R&B song with a CVE!

By Paul Ducklin — August 22^nd 2022 at 16:03

We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)

Naked Security

S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security [Audio + Text]

By Paul Ducklin — August 18^th 2022 at 18:38

Latest episode - listen now (or read if you prefer!)

Naked Security

Apple patches double zero-day in browser and kernel – update now!

By Paul Ducklin — August 17^th 2022 at 23:33

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Naked Security

Chrome browser gets 11 security fixes with 1 zero-day – update now!

By Paul Ducklin — August 17^th 2022 at 13:16

Don't delay - patch today.

Naked Security

Zoom for Mac patches critical bug – update now!

By Paul Ducklin — August 15^th 2022 at 18:26

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

Naked Security

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]

By Paul Ducklin — August 11^th 2022 at 14:34

Latest episode - listen now! (Or read the transcript if you prefer.)

Naked Security

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

By Paul Ducklin — August 10^th 2022 at 16:59

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

Naked Security

Traffic Light Protocol for cybersecurity responders gets a revamp

By Paul Ducklin — August 5^th 2022 at 18:57

Traffic lights make a handy global metaphor for denoting the sensitivity of cybersecurity threat data - three colours that everyone knows.

Naked Security

S3 Ep94: This sort of crypto (graphy), and the other sort of crypto (currency!) [Audio + Text]

By Paul Ducklin — August 4^th 2022 at 17:52

Latest episode - listen now! (Or read if that's what you prefer.)