Wednesday, April 21, 2021

S3 Ep28.5: Hacking back – is attack an acceptable form of defence?

Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath. With Paul Ducklin and Chester Wisniewski https://nakedsecurity.sophos.com/fbi-hacks-into-hundreds-of-infected-us-servers Original music...

S3 Ep28: Pwn2Own hacks, darkweb hitmen and COVID-19 privacy

We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps. https://nakedsecurity.sophos.com/pwn2own-2021-zoom-teams-exchange-chrome-and-edge https://nakedsecurity.sophos.com/italian-charged-with-hiring-dark-web-hitman https://nakedsecurity.sophos.com/apple-and-google-block-official-uk-covid-19-app With Kimberly Truong,...

S3 Ep27: Census scammers, beg bounties and data breach fines

How scammers copied a government website almost to perfection. What to do about those fake "bug" hunters who ask for payment for finding "vulnerabilities" that aren't. Why the Dutch data protection authority fined Booking.com for not sending in a...

S3 Ep26: Apple 0-day, crypto vulnerabilities and PHP backdoor

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks. https://nakedsecurity.sophos.com/apple-devices-get-urgent-patch-for-zero-day-exploit https://nakedsecurity.sophos.com/serious-security-openssl-fixes-two-high-severity-crypto-bugs https://nakedsecurity.sophos.com/php-web-language-narrowly-avoids-dangerous-supply-chain-attack With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter:...

S3 Ep25: Drained accounts, ransomware attacks and Linux badware

How a heartless and devious scammer ripped off every penny from a woman in England who was lured in by one of those "small outstanding fee to pay" home-delivery scams. The ransomware crooks who are targeting victims who still...

S3 Ep24: How not to get snooped, scammed or hoaxed

We discuss an iPhone app that allowed anyone to snoop on anyone's calls - but not in the way you might expect. We investigate a data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently...

S3 Ep23.5: An interview with cybersecurity expert John Noble CBE

John Noble was Director of Incident Management at the UK's National Cyber Security Centre (NCSC) until his retirement in 2018. During his 40 years of Government service, John specialised in operational delivery and strategic business change. For his work...

S3 Ep23: Hafnium happenings, I see you, and Pythonic poison

Getting to grips with the HAFNIUM cybercrooks/vulnerabilities/exploits/webshells/attacks. Why it's important to think before you share those home-based selfies. What you need to know about social engineering. How (not!) to prove a point when you're a programmer. https://nakedsecurity.sophos.com/serious-security-webshells-explained-in-the-aftermath-of-hafnium https://nakedsecurity.sophos.com/i-see-you-your-home-working-photos-reveal-more-than-you-think https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/poison-packages-supply-chain-risks-user-hits-python-community With Kimberly Truong and...

S3 Ep22: Cryptographic escapes and social media scams

How to stop security-conscious apps from allowing plaintext data to escape, and how scammers put social network users under pressure in order to steal their passwords. https://nakedsecurity.sophos.com/keybase-secure-messaging-fixes-photo-leaking-bug https://nakedsecurity.sophos.com/naked-security-live-beware-copyright-scams With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email:...

S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads

S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads The graphics card that wants you to stick to playing games, the man that didn't weigh 100 tons after all, and the marketing gang that used a browser bug to...

S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs

How a bug hunter sneaked into 35 megacorp's internal networks. Why romance scams are going stronger than ever (and how to avoid them. What to do about those tempting but treacherous "tax refund" messages. And a listener tells how...

S3 Ep19.5: How NOT to be a bug bounty hunter

In this special mini-episode, Paul Ducklin talks to Sophos cybersecurity expert Chester Wisniewski about bug bounty hunting. How does bug bounty hunting work? What should you do if you get a bug report that doesn't follow established protocol? Chester tells...

S3 Ep19: Chrome zero-day, coffee hacking and Perl.com stolen

We delve into Google's tight-lipped Chrome bugfix, explain how a Belgian research awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the Perl.com domain. https://nakedsecurity.sophos.com/chrome-zero-day-browser-bug https://nakedsecurity.sophos.com/free-coffee-dutch-researcher https://nakedsecurity.sophos.com/perl-com-gets-its-domain-back With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by...

S3 Ep18: Apple emergency, crypto blunder and botnet takedown

Apple pushed out an iOS update in something of a hurry to shut down a serious 0-day bug. The GnuPG team scrambled to fix an ironic vulnerability that could be exploited during the very process of checking if the...

S3 Ep17: Facemasks, hidden ads and paranormal hacking

What's the connection between coronavirus facemasks and fingerprint biometrics? Who would have expected funky job ads on the White House website? And what would you do if you spotted a deceased former colleague hanging out on your network? https://nakedsecurity.sophos.com/has-the-coronavirus-pandemic-affected-apples-hardware https://nakedsecurity.sophos.com/us-administration-adds-subliminal-ad https://nakedsecurity.sophos.com/ghost-hack-criminals-use-deceased-employees-account With Kimberly...
The Register

Japan accuses Chinese military of cyber-attacks on its space agency

200 other companies also targeted, but no data lost Japan has accused a member of the Chinese Communist Party of conducting cyber-attacks on its space agency and 200 other local entities.…
The Register

Japan accuses Chinese military of cyber-attacks on its space agency

200 other companies also targeted, but no data lost Japan has accused a member of the Chinese Communist Party of conducting cyber-attacks on its space agency and 200 other local entities.…

Tool links email addresses to Facebook accounts at scale

Enlarge (credit: Getty Images) Still smarting from last month’s dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a mass scale,...
SC Magazine

With details sparse, vendors scramble to make sense of Biden 100-day grid security plan

The Biden administration launched what it called a “bold” 100-day sprint to improve the cybersecurity of electric utilities on Tuesday. The plan was not released in full to the public, or to many vendors who might be instrumental in...
The Register

China broke into govt, defense, finance networks via zero-day in Pulse Secure VPN gateways? No way

Crucial flaw won't be fixed until next month Dozens of defense companies, government agencies, and financial organizations in America and abroad appear to have been compromised via vulnerabilities in their Pulse Connect Secure VPN appliances – including a zero-day...