Information

23 Mar

CISA, NSA Issue Guidance for IAM Administrators

Information, News

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week announced new guidance for identity and access management (IAM) administrators. A framework for the management of digital identities, IAM covers the business processes, policies, and technologies that ensure user access to data. The basis for proper IAM involves inventorying, auditing, and tracking user identities and access, which represent daunting but necessary operations, especially with state-sponsored groups successfully exploiting vulnerabilities in…

Read More
22 Mar

Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Data Breaches, Information, Insights

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones. In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which…

Read More
22 Mar

Windows 11 also vulnerable to “aCropalypse” image data leakage

Information

by Paul Ducklin Just yesterday, we wrote about a bug in Google Pixel phones, apparently now patched, with potentially dangerous consequences. The bug finders, understandably excited (and concerned) by what they’d found, decided to follow the BWAIN principle for maximum, turning it into a Bug With An Impressive Name: aCropalypse. In case you’re wondering, the word apocalypse literally means any sort of revelation, but it’s usually used to refer to the biblical text known as…

Read More
22 Mar

Backslash Snags $8M Seed Financing for AppSec Tech

Information, News

Looking to grab a slice of the lucrative enterprise AppSec market, Backslash Security emerged from stealth Wednesday with $8 million in seed-stage capital and new technology to identify and mitigate “toxic code flows” in cloud-native applications.  The Israeli startup said the financing was provided by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co.  A roster of prominent security practitioners and entrepreneurs also joined the round.  Based in Tel Aviv, Backslash is building…

Read More
21 Mar

Twitter ends free SMS 2FA: Here’s how you can protect your account now

Information

Twitter’s ditching of free text-message authentication doesn’t mean that you should forgo using 2FA. Instead, switch to another – and, indeed, better – 2FA option. Starting today, Twitter is disabling SMS-based two-factor authentication (2FA) for all but paying users following a decision that, not unlike other recent moves by the social media giant, has been met with controversy that has reverberated far beyond the Twitterverse. “While historically a popular form of 2FA, unfortunately, we have…

Read More
21 Mar

Google Pixel phones had a serious data leakage bug – here’s what to do!

Information

by Paul Ducklin Even if you’ve never used one, you probably know what a VCR is (or was). Short for video cassette recorder, it was how we recorded and watched back videos at home in the days when digital video stored on hard disks was the absurdly expensive privilege of huge companies, typically TV stations. The cassettes were small plastic containers that held two reels and a long strip of magnetic recording tape – kind…

Read More
21 Mar

Verosint Launches Account Fraud Detection and Prevention Platform

Information, News

Security startup 443ID, which previously focused on bringing open source intelligence (OSINT) to access management, is now refocusing its solution to tackle account fraud detection and prevention, and has changed its name to Verosint to better describe its new focus. It is launching what is technically version 2 of 443ID’s IAM platform, but is effectively version 1 of Verosint’s account fraud solution. “The previous product was focused on measuring the likelihood of risk to enable…

Read More
20 Mar

Bitcoin ATM customers hacked by video upload that was actually an app

Information

by Paul Ducklin There are plenty of military puns in operating system history. Unix famously has a whole raft of personnel known as Major Number, who organise the batallions of devices such as disk drives, keyboards and webcams in your system. Microsoft once struggled with the apparently incompetent General Failure, who was regularly spotted trying to read your DOS disks and failing. Linux has intermittently has trouble with Colonel Panic, whose appearance is typically followed…

Read More
20 Mar

Why You Should Opt Out of Sharing Data With Your Mobile Provider

Data Breaches, Information, Insights

A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how. Image: Shutterstock Telecommunications giant AT&T disclosed this month that a breach…

Read More
20 Mar

Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes

Information, News

Cryptocurrency ATM manufacturer General Bytes over the weekend disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds. The attackers, the company says, exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with batm user privileges. “The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services…

Read More