Authorities in the United States, Canada, Australia, and New Zealand are said to be investigating a wave of bogus bomb threats that have been sent to a variety of organisations late on Thursday.
But if the hoaxer thought they were going to make a lot of money through the scam, they’re going to be disappointed.
Week after week, month after month, 2018 saw organisations and companies struck by massive and damaging data breaches, putting the personal details of innocent members of the public at risk.
Read more in my article on the Bitdefender Business Insights blog.
Forbes journalist Thomas Brewster wanted to find out just how well a variety of Android phones and a top-of-the-range Apple iPhone would fare against a determined attempt to break facial recognition. And he did that by having a 3D-model printed of his head.
Read more in my article on the Tripwire State of Security blog.
The curious case of George Duke-Cohan, Huawei’s CFO finds herself in hot water, and the crazy world of mobile phone mental health apps.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guests Mikko Hyppönen from F-Secure and technology journalist Geoff White.
An independent audit has found no evidence that malicious chips were planted on Supermicro’s motherboards, debunking Bloomberg claims that servers at Amazon and Apple were being spied upon by China.
Scammers want you to send $2000 to help Huawei’s CFO bribe her way out of jail.
Google has admitted that Google Plus suffered another security failure last month, allowing the personal information of 52 million users to be accessed by third-party apps and developers without permission.
It’s a bad day when your computers get hit by ransomware.
But it only gets worse when you realise that you not only don’t have backups, but also have no way of contacting the criminals who encrypted your data.
British teenager George Duke-Cohan has been jailed for three years for making hoax bomb threats that closed hundreds of schools up and down the UK.
Computer users are being reminded once again to take care over the browser extensions they install after security experts discovered a hacking campaign that has been targeting academic institutions since at least May 2018.
The post Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea appeared first on The State of Security.
Fitness apps exploit TouchID through a sneaky user interface trick, tech giants claim to have a plan to banish passwords, and you won’t believe who was behind a sextortion scam that targeted over 400 members of the US military.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by ferret-loving ethical hacker Zoë Rose.
Two iOS fitness apps have been found exploiting a sneaky user interface trick to fool users into making unwanted in-app purchases with Touch ID.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
OneSpan is now giving you the chance to download its Financial Agreement Automation RFP Guide for Account Opening, Digital Lending and Leasing Automation.
Trillions of dollars in financial transactions are processed each year. These include credit agreements, loans, new account openings, mortgages, pensions and annuities.
Today’s customer is looking for speed, ease and convenience. To meet these demands, financial institutions must offer fully digital experiences.
This guide is for financial institutions evaluating technology for agreement automation.
Agreement automation refers to the digitization of the customer agreement process for financial transactions – including application data validation, digital identity verification, agreement signing and storage, and audit trail capture.
This guide will assist you in:
Download your copy of OneSpan’s guide now.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
There’s bad news if you’re one of the 500 million hotel guests whose data was included on the Starwood guest reservation database.
Dell has revealed that earlier this month it discovered that hackers had breached its security and were attempting to access customer details - including names, email addresses, and hashed passwords.
Authorities in the United States have charged two people in connection with a series of notorious ransomware attacks.
The post US charges Iranian hackers for SamSam ransomware attacks appeared first on The State of Security.
How are scammers stealing your money through Google Maps? Why did the FBI create a fake FedEx website? And how are US senators hoping to stop Grinch bots ruining Christmas?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
And don’t miss our special bonus interview about passwords with Rachael Stockton of LastPass.
The German government has published draft guidelines on how it believes broadband routers should be secured. But some people think more could be done.
Read more in my article on the Bitdefender Box blog.
A school district in Indiana which had $120,000 transferred from its bank account after its email account was hacked, has failed in attempt to reclaim the cash dismissed.
The problems for Lake Ridge Schools began in October 12 2016 when money earmarked for part of a seven million dollar construction project of an athletics complex at Calumet New Tech High School was fraudulently wired to parties unknown.
The email account of a business manager tasked with signing off payment requests had been hacked, and a request was made to the BNY Mellon banking giant, asking it to transfer $120,882.83 to several people listed as contractors on the project.
At the time, the school district’s business manager was on vacation – a fact not unknown to BNY Mellon as it had received an automated out-of-office email notification a few days earlier.
In addition, according to the lawsuit filed by Lake Ridge Schools, the payment request was different from those made previously – it was presented in a different font, contained some suspicious pixellation, and unlike past payments was a request for a wire transfer rather than a check.
And it’s not as though BNY Mellon wasn’t making any attempt at all to verify the payment requests it received via email from the school district’s email account. The first attempted fraudulent payment made by the email hacker was rejected, and had to be reissued the next day.
As media reports <a href=”https://www.chicagotribune.com/suburbs/post-tribune/news/ct-ptb-lake-ridge-lawsuit-st-1127-story.html” rel=”nofollow” title=”Link to Chicago Tribune”>recount</a>, the fraud was only discovered when the bank received a second payment request on October 18 2016, asking for more money to be moved. On that second occasion the bogus transfer request was intercepted by the bank before any more money could be stolen.
Remember – unlike a lot of the tales of business email compromise hitting the headlines this year, this is not the case of an employee being duped into believing their boss is ordering them to wire money to a supplier, or a bogus invoice that has been emailed into the accounts department.
This is a scenario where hackers have hijacked the email account of a member of the organisation authorised to approve payments, and then ordered the bank to wire the money to the criminals. Other than having an employee’s email account hacked in the first place, no member of staff has been duped.
In the opinion of Lake Ridge Schools, it was the bank’s fault that such a large amount of money had been fraudulently wired on the first occasion to criminals believed to be based off-shore and out of the reach of the authorities. Their opinion was that the bank should have been more diligent, and checked with the school district (presumably using a method other than email) that the payment request was genuine.
That was not a view shared by US District Court Judge Theresa Springmann, however, who dismissed the school district’s lawsuit and said that the bank was not responsible for the loss under its contract.
According to the judge, the lawsuit from Lake Ridge Schools failed to demonstrate that BNY Mellon had been negligent or committed misconduct by not spotting the payment request was fraudulent.
The agreement between the school district and bank asserted that the district’s building corporation assumed “all risks” and that the bank was unable to “determine the identity of the actual sender of such instructions.”
This opinion falls on death ears of the likes of school superintendent Sharon Johnson-Shirley who still believes that BNY Mellon should have reimbursed the district:
“They are the largest bank in the world and they are insured. I cannot believe they fought me nail and tooth. What can we do? We don’t have money to continue to fight them.”
There is perhaps an important lesson for all of us here.
It has becoming more and more common for people and companies to lose money due to online fraud, and it is not uncommon for banks to recompense us for our losses, with a mind to keeping our business and avoiding unsympathetic headlines.
These days are numbered. As fraudsters steal ever larger amounts of money through techniques such as business email compromise, we shouldn’t be surprised to find banks increasingly unwilling to accept responsibility for what goes wrong.
Now is a good time to put proper processes and technology in place to ensure that only authorised staff are able to authorise payments, and crucially that they have a reliable way of authenticating their identity to the banks wiring the money.
New information has come to light which makes it more difficult to defend York city council’s actions and communications in response to being told about a vulnerability in its One Planet York app.
Fraudsters beware! The Feds are prepared to use your own tricks against you.
Some in the computer security community feel that the council over-reacted by reporting the incident to the police.
I’m not so sure.
Prosecutors believe 21-year-old Manhattan resident Nicholas Truglia targeted the cellphones of Silicon Valley executives in “SIM-swapping” attacks.
Read more in my article on the Tripwire State of Security blog.
Prosecutors believe 21-year-old Manhattan resident Nicholas Truglia targeted the cellphones of the rich in SIM-swapping attacks.
The post SIM swap! Man charged after million dollar cryptocurrency theft appeared first on The State of Security.
Tesla takes customer service a step too far, is it a romantic gesture or stalking when you email 246 women called Nicole, and Carole finds herself in a Facebook dilemma.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.
What aren’t you telling us Amazon, and why?
An online fantasy role-playing game where participants can dress up as buxom furry animals has had its user database leaked onto the internet.
A recently discovered vulnerability in a popular WordPress plugin is being actively exploited in attacks by hackers attempting to install backdoors on websites, inject custom code, and grant themselves admin rights.
Read more in my article on the Hot for Security blog.
Judge describes men connected to TalkTalk hack as “individuals of extraordinary talent.” Sigh…
Read more in my article on the Hot for Security blog.
Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!
At Recorded Future, we believe every security team can benefit from threat intelligence. That’s why we’ve published “The Threat Intelligence Handbook.”
It’s aimed at helping security professionals realize the advantages of threat intelligence by offering practical steps for applying threat intelligence in any organization.
About Recorded Future
Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
Users of Microsoft Azure and Office 365 are struggling to access their accounts today, due to a multi-factor authentication malfunction.
Criminals planted credit-card skimming code on Vision Direct online store.
Are targeted companies missing a trick? Could they not use their tech skills to penetrate their attacker’s own computer systems, and launch a counter-attack which might knock out their adversaries’ infrastructure?
Read more in my article on the Bitdefender Business Insights blog.
MageCart, the notorious malware that has been haunting online stores by stealing payment card details from online shoppers at checkout, is reinfecting the same websites time and time again.
Read more in my article on the Tripwire State of Security blog.
Does your employer want to turn you into a cyborg? Was this phishing test devised by an evil genius? And how did a cinema chain get scammed out of millions, time and time again…?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Scott Helme.
Has someone been trying to hack into a large number of Apple ID accounts?
That’s one of the theories circulating after a significant number of iPhone owners woke up on Tuesday to discover that their handsets were displaying a message saying that their Apple ID had been locked.
All the indications are that Apple locked the accounts of an unknown number of customers, kicking them out of iCloud, iMessage, Apple Music, Apple TV and other services and – in some cases – demanding that they verify their identity to regain access.
As 9to5Mac reports, criticism has spilled out onto social media as frustrated users complained to Apple that their attempts to regain access resulted in failure.
Apple, typically, has been unforthcoming about why so many accounts appear to have been locked.
Of course, that hasn’t stopped people from speculating. Theories include that perhaps the problem lies at Apple’s end, and a bug in the code which decides if an account should be locked or not is triggering lockouts where they are not appropriate, or its systems are failing to correctly allow users to correctly verify their identity.
Another possibility is that the company has seen a spike in attempts to access accounts, perhaps using passwords gleaned from other online data breaches. Such leaks on other sites can pose a risk to Apple users if they had made the mistake of reusing passwords across multiple services.
Some locked out users, however, assert that the passwords they use to protect their iCloud accounts were not being used anywhere else on the net.
A further possibility is that Apple is simply proactively trying to protect users who it believes may be at risk of having their accounts breached. Apple, after all, does not know what password you have chosen to use on other websites (unless it also has access to a breached database), but if it is concerned that you *might* be amongst those who may have made a poor password choice, it’s not utterly impossible to imagine that they might take steps to ensure users have reset passwords rather than risk headlines of thousands of breached Apple accounts…
It should be noted that the risk associated with your Apple ID password falling into the wrong hands can be significantly reduced by adding the additional security layer of two-factor authentication (2FA) o your Apple ID account.
The nice thing about having 2FA protecting your Apple ID account, is not only that it may prevent an unauthorised party from gaining access but also that you will receive a warning of an attempt to break in.
For its part, in the immediate aftermath of the lockouts, Apple’s support team is pointing affected users to a knowledgebase article which describes actions users can take if they find their account is locked or disabled.
That won’t tell you why your account has been disabled, or what the security alert was about, but it does at least give you the steps you are normally required to take to regain access.
Meanwhile the rest of us will wait with interest to see if there is any official announcement from Apple – after all, we’re still in the dark as to whether there was a genuine security-related reason for users to have their accounts locked, or whether this was a problem with Apple’s systems.
The latest high profile account to be abused by scammers to promote a cryptocurrency giveaway? US retail giant Target.
Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!
More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.
Often, the first hurdle in customer engagement is the login password. Not only is creating and managing passwords a major annoyance, the login password is also notoriously vulnerable to data breaches.
FIDO authentication solves this problem by replacing the traditional password with strong authentication options ranging from biometrics to software and hardware tokens.
In essence, FIDO authentication offers an interoperable and standardized ecosystem of authenticators for use with mobile and online applications. It enables organizations to deploy strong authentication for login and transaction validation, without the incremental cost of in-house development.
Recently, the FIDO Alliance (Fast Identity Online) announced the availability of its FIDO2 protocol. Read more on the OneSpan blog and discover:
To learn more, make sure to check out the full article on the OneSpan blog.
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
A man has been jailed for six and a half years after sending a letter bomb to Bitcoin exchange Cryptopay. Why would anyone do such a horrendous thing? Police believe it was because he couldn’t remember his password.
A Chinese headmaster has lost his job after it was discovered he was stealing the school’s electricity to power a secret cryptocurrency-mining rig.
As the South China Morning Post reports, Lei Hua, the head teacher of a school in the central province of Hunan, built a stack of eight servers that run day and night, mining for the Ethereum cryptocurrency.
According to the report, Lei paid 10,000 yuan (approximately US $1400) in June 2017 to buy his first cryptomining machine, which he set up at his home.
However, the headmaster soon discovered that his activities were consuming a significant amount of electricity – 21 kWH per day – and in an attempt to save himself money, Lei is said to have relocated the machine to his school’s computer room, where it was soon joined by more mining machines.
Astonishingly, the school’s deputy headmaster is also said to have joined the scheme, buying a mining machine with Lei’s help that also gobbled up the school’s power supply.
In all, a total of eight cryptomining machines were installed in the school between mid-2017 and the summer of 2018.
After one year, an electricity bill of 14,700 yuan (US $2120) had been racked up, causing a school employee to raise a concern with the headmaster about why the school might be using so much electricity. Lei, however, dismissed the question and blamed the increased bill on the cost of air conditioning and heaters.
It was only when fellow teachers at the school became suspicious of the continual sound of whirring computers that the rig of eight cryptomining devices was identified.
Both Lei and his deputy headmaster have had their cryptocurrency earnings seized by the authorities, although it is not known how much they might have earnt through their clandestine operation. Lei was dismissed last month, according to reports, and his deputy given an official warning.
It’s an amusing story, but there are genuine concerns for other organisations here.
The cryptocurrency ‘gold rush’ has encouraged many people to break rules and even the law, motivated by the dream of earning themselves a fortune.
We’ve often seen this exhibited through the use of cryptomining malware impacting internet-connected PCs, but it’s equally an issue inside companies and organisations where staff might be tempted to sneak in a few computers to mine away under a desk, or in a seldom-visited server room.
Perhaps the most notorious example of this was the arrest earlier this year of a group of Russian nuclear scientists, who hijacked their own supercomputer at a top-secret nuclear weapon facility to allegedly mine for cryptocurrencies.
With the huge amount of energy and great computational power required to mine cryptocurrencies, having a supercomputer at your disposal gives you something of an advantage. Especially when someone else is paying for the electricity…
Organisations need to keep a close eye on what is happening on their network, and whether someone might have sneaked in additional computing equipment for their own purposes without permission.
After all, if you don’t have tight control over what is running in your organisation, you might have more problems than just a high electricity bill.
Travel blogger Delaine Maria D’Costa had her account wiped after she failed to pay an extortionist $200.
That was bad enough, but then she had to try to convince Instagram to let her have it back again.
Security researchers are warning that a botnet has been exploiting a five-year-old vulnerability to hijack home routers over the last couple of months.
Read more in my article on the Tripwire State of Security blog.
One travel blogger finds you don’t have to be Kylie Jenner to be targeted by an Instagram hacker. When 40 iPhones at a hospital mysteriously die, what could be the explanation? And, surprise surprise, political parties in the USA are throwing around hacking accusations.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Mark Stockley.
Security researchers at ESET discovered that hackers managed to compromise StatCounter and change the analytics script used by hundreds of thousands of websites.
Dutch police have revealed that they were able to spy on the communications of more than 100 suspected criminals, watching live as over a quarter of a million chat messages were exchanged.
The encrypted messages were sent using IronChat, a supposedly secure encrypted messaging service available on BlackBox IronPhones.
The website of Blackbox Security used to prominently boast a quote from a certain Edward Snowden:
“I use PGP to say hi and hello but use IronChat(OTR) to have a serious conversation”
You won’t see that quote on Blackbox Security’s website today, though, as its server has been seized by Dutch law enforcement.
Criminals were amongst those who purchased the IronPhones, and used the IronChat app to communicate openly about their activities, believing that they were safe as they paid up US $1500 for a six month subscription to the service. What they did not realise was that the app had been compromised by police.
Police haven’t described how they made the breakthrough of managing to crack the IronChat system, and snoop upon encrypted messages, but the suspicion will be that the encrypted chat app had a weakness – such as its reliance on a central server.
In a statement, police in the Netherlands explained that as a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.
In addition, a number of suspects are also said to have already been arrested, with multiple searches taking place in various locations around the country.
“This operation has given us a unique insight into the criminal world in which people communicated openly about crimes,” said Aart Garssen, Head of the Regional Crime investigation Unit in the east of the Netherlands.
Police only decided to shut down the service after they became aware that criminals were beginning to suspect each other of leaking information to the police, introducing a very real risk that there could be a threat to individuals’ safety. For this same reason, Dutch authorities decided to go public about their access to the chat system at a press conference.
The owner of Blackbox Security, a 46-year-old man from Lingewaard, and his partner, a 52-year-old man from Boxtel, have been arrested on suspicion of money laundering and participation in a criminal organisation. Their homes and company premises have also been searched.
Just hours before the US mid-term elections opened, Facebook responded to a tip from law enforcement agencies and shut down 115 accounts that were behaving suspiciously, and potentially linked to a foreign entity.
The cryptocurrency giveaway scammers are up to their tricks again on Twitter, and it seems that Twitter simply can’t keep up with them.
My advice to Twitter? Make Login Verification compulsory for verified accounts.
Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!
Recorded Future believes that every security team can benefit from threat intelligence. That’s why it has launched its new Threat Intelligence Grader — so you can quickly assess your organization’s threat intelligence maturity and get best practices for improving it.
Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. It empowers organizations to reveal unknown threats before they impact business, and enables teams to respond to alerts 10 times faster.
To supercharge the efforts of security teams, Recorded Future’s technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies.
91 percent of the Fortune 100 use Recorded Future.
Try out Recorded Future’s Threat Intelligence Grader for yourself now!
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.
If you’ve stayed in one of the over 1400 hotels in 70 countries that make up the Radisson Hotel Group, you could be in for a rude awakening.
If you’re one of the millions of people who travels under the English Channel each year, then there’s a good chance you may have to change your password for the Eurostar website.
Who deserves to die in a driverless car crash? Who has been sniffing around the Girl Scouts’ email account? And just how long would it take for a geologist to visit 9,000 adult web pages?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist and “Friends” fan Dan Raywood.
The latest iOS passcode bypass bug appears to have been introduced by Apple’s new Group Facetime feature.
Read more in my article on the Hot for Security blog.
Fresh from launching a £500 million group action against British Airways after a serious security breach, a UK law firm has wasted no time responding to the announcement last week of a hack at Cathay Pacific which saw the personal data of 9.4 million Cathay Pacific passengers breached.