News

More work to do as most deadlines are missed and worst bugs still take months to fix

The deadlines associated with CISA's Known Exploited Vulnerabilities (KEV) catalog only apply to federal agencies, but fresh research shows they're having a positive impact on private organizations too.…

Thousands of guards' ID cards and CCTV snaps of suspects found online

Exclusive  A UK-based physical security business let its guard down, exposing nearly 1.3 million documents via a public-facing database, according to an infosec researcher.…

Crims SIM swap execs' kids to freak out their parents, Mandiant CTO says

RSAC  Ransomware infections and extortion attacks have become "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up, according to Google-owned Mandiant.…

And the iOS titan doesn't seem that bothered with data leaking out

Last week, Apple began requiring iOS developers justify the use of a specific set of APIs that could be used for device fingerprinting. Yet the iGiant doesn't appear to be making much effort to ensure that Google, Meta, and Spotify comply with the rules, it's claimed.…

After very boring first reveal, this could be the real deal

Cops around the world have relaunched LockBit's website after they shut it down in February – and it's now counting down the hours to reveal documents that could unmask the ransomware group.…

Decentralization is great, except when many servers grab data from a site

Mastodon has pushed back an update that would have addressed the issue of link previews creating accidental distributed denial of service (DDoS) attacks.…

Accused of stealing data after losing his job

A cybersecurity expert could face a 20-year prison sentence after being accused of allegedly trying to extort a multinational IT infrastructure services biz out of $1.5 million.…

Recent attacks on healthcare thrust infosec agency into alert mode

CISA is calling on the software industry to stamp out directory traversal vulnerabilities following recent high-profile exploits of the 20-year-old class of bugs.…

ALSO: Microsoft promises to git gud on cybersecurity; unqualified attackers are targeting your water systems, and more

infosec in brief  It was just around a year ago that a spate of allegedly Russian-orchestrated cyberattacks hit government agencies in Germany, and now German officials claim to know for a fact who did it: APT28, or Fancy Bear, a Russian threat actor linked to the GRU intelligence service.…

Internet Society's Robin Wilton tells us the war on privacy won't be won by the plod

interview  Police can complain all they like about strong end-to-end encryption making their jobs harder, but it doesn't matter because the technology is here and won't go away. …

Privacy Not Included label slapped on 22 of 25 top lonely-hearts corners

Dating apps ask people to disclose all kinds of personal information in the hope of them finding love, or at least a hook-up.…

Ready, set, sanctions?

If volunteer intelligence gatherers are correct, the US may have a good reason to impose sanctions on Russian infosec firm Kaspersky, whose AI was allegedly used to help Russia produce drones for its war on Ukraine.…

Sure, we're waking to the risk, but we gotta get outta bed, warns Endor Labs founder Varun Badhwar

interview  The more cybersecurity news you read, the more often you seem to see a familiar phrase: Software supply chain (SSC) vulnerabilities. Varun Badhwar, founder and CEO at security firm Endor Labs, doesn't believe that's by coincidence. …

Cops prevented crims from bilking victims out of more than €10m - but couldn't stop crime against art

A Europol-led operation dubbed “Pandora” has shut down a dozen phone scam centers, and arrested 21 suspects. The cops reckon the action prevented criminals from bilking victims out of more than €10 million (£8.6 million, $11 million).…

A 'murky' web sees many purchases run through Singapore in a way that hides potential users

Indonesia has acquired spyware and surveillance technologies through a "murky network" that extends into Israel, Greece, Singapore and Malaysia for equipment sourcing, according to Amnesty International.…

Bad configurations, insecure versions of jQuery, and crummy cookies are some of myriad problems

Exclusive  Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.…

Windows giant extends passwordless tech to everyone else

Microsoft today said it will now let us common folk — not just commercial subscribers — sign into their Microsoft accounts and apps using passkeys with their face, fingerprint, or device PIN.…

Operation busted after dodgy devices ended up at Air Force

Miami resident Onur Aksoy has been sentenced to six and a half years in prison for running a multi-million-dollar operation selling fake Cisco equipment that ended up in the US military.…

Ten vulnerabilities in total for admins to apply

Network admins are being urged to patch a bundle of critical vulnerabilities in ArubaOS that lead to remote code execution as a privileged user.…

Warning comes exactly a year after the vulnerability was introduced

The US Cybersecurity and Infrastructure Security Agency (CISA) is forcing all federal agencies to patch a critical vulnerability in GitLab's Community and Enterprise editions, confirming it is very much under "active exploit."…