Continuous Monitoring and Protection
by Paul Ducklin World Password Day is always hard to write tips for, because the primary advice you’ll hear has been the same for many years. That’s because the “passwordless future” that we’ve all been promised is still some time away, even if some services already support it. Simply put, we’re stuck with the old, while at the same time preparing for the new. That’s why we’ve come up with four tips for 2023, but…
Read Moreby Paul Ducklin SILENT SECURITY! (IS THAT A GOOD THING?) No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher. READ THE TRANSCRIPT DOUG. Passwords, botnets, and malware on the Mac. All…
Read Moreby Paul Ducklin We’ve written about PHP’s Packagist ecosystem before. Like PyPI for Pythonistas, Gems for Ruby fans, NPM for JavaScript programmers, or LuaRocks for Luaphiles, Packagist is a repository where community contributors can publish details of PHP packages they’ve created. This makes it easy for fellow PHP coders to get hold of library code they want to use in their own projects, and to keep that code up to date automatically if they wish.…
Read MoreThe French Senate’s website was offline on Friday after pro-Russian hackers claimed to have taken it down, in just the latest such cyberattack since Russia invaded Ukraine last year. “Access to the site has been disrupted since this morning,” the upper house of Parliament said on Twitter shortly before midday, saying a team was busy fixing the problem. A group calling itself NoName on Telegram claimed responsibility, saying it had acted because “France is working…
Read MoreThe U.S. government this week put a $10 million bounty on a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him at least $18 million, which he used to buy a Ferrari, Land Rover, and other luxury items. Denis Kulkov, a.k.a. “Nordex,” in his Ferrari. Image: USDOJ.…
Read MoreA sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has…
Read MoreA shocking number of organizations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in. A researcher found DC Health had five Salesforce Community sites exposing data. Salesforce Community is a widely-used cloud-based software product that…
Read MoreWe learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks. Researchers…
Read MoreFor the past seven years, a malware-based proxy service known as “Faceless” has sold anonymity to countless cybercriminals. For less than a dollar per day, Faceless customers can route their malicious traffic through tens of thousands of compromised systems advertised on the service. In this post we’ll examine clues left behind over the past decade by the proprietor of Faceless, including some that may help put a face to the name. The proxy lookup page…
Read MoreKrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things…
Read More