Information

28 Dec

Twitter data of “+400 million unique users” up for sale – what to do?

Information

by Paul Ducklin Hot on the heels of the LastPass data breach saga, which first came to light in August 2022, comes news of a Twitter breach, apparently based on a Twitter bug that first made headlines back in the same month. According to a screenshot posted by news site Bleeping Computer, a cybercriminal has advertised: I’m selling data of +400 million unique Twitter users that was scraped via a vulnerability, this data is completely…

Read More
28 Dec

Netwrix Acquires Remediant for PAM Technology

Information, Malware, News

Data security software vendor Netwrix has acquired Remediant, an early-stage startup working on technology in the PAM (privileged access management) category. Financial terms of the acquisition were not disclosed.  Remediant, based in San Francisco and backed by Dell Technologies Capital and ForgePoint Capital, raised $15 million in Series A venture capital funding in August 2019. Remediant, founded in 2015 by security practitioners Paul Lanzi  and Tim Keeler, built a PAM software product that offered continuous…

Read More
28 Dec

EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer

Information, News

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University…

Read More
27 Dec

2022 in review: 10 of the year’s biggest cyberattacks

Information

The past year has seen no shortage of disruptive cyberattacks – here’s a round-up of some of the worst hacks and breaches that have impacted a variety of targets around the world in 2022 The past year has seen the global economy lurch from one crisis to another. As COVID-19 finally began to recede in many regions, what replaced it has been rising energy bills, soaring inflation and a resulting cost-of-living crisis – some of…

Read More
27 Dec

Critical “10-out-of-10” Linux kernel SMB hole – should you worry?

Information, Uncategorized

by Paul Ducklin Just before the Christmas weekend – in fact, at about the same time that beleaguered password management service LastPass was admitting that, yes, your password vaults were stolen by criminals after all – we noticed a serious-sounding Linux kernel vulnerability that hit the news. The alerts came from Trend Micro’s Zero Day Initiative (ZDI), probably best known for buying up zero-day security bugs via the popular Pwn2Own competitions, where bug-bounty hunting teams…

Read More
27 Dec

Data of 400 Million Twitter Users for Sale as Irish Privacy Watchdog Announces Probe

Information, News

An individual is offering to sell the data of more than 400 million Twitter users, just as Ireland’s data protection watchdog has announced an investigation into the recent data leaks impacting the social media giant. On December 23, someone posted a message on a popular hacking forum announcing the sale of a database containing the names, usernames, email addresses, phone numbers and follower counts of over 400 million Twitter accounts. A sample of roughly 1,000…

Read More
23 Dec

LastPass finally admits: They did steal your password vaults after all

Information

by Paul Ducklin Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022. Details of how the attackers first got in are still scarce, with LastPass’s first official comment cautiously stating that: [A]n unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. A folllow-up announcement about a month later was similarly inconclusive: [T]he threat actor gained access…

Read More
23 Dec

S3 Ep114: Preventing cyberthreats – stop them before they stop you! [Audio + Text]

Information, Malware

by Paul Ducklin STOP THE CROOKS BEFORE THEY STOP YOU! Paul Ducklin talks to world-renowned cybersecurity expert Fraser Howard, Director of Research at SophosLabs, in this fascinating episode, recorded during our recent Security SOS Week 2022. When it comes to fighting cybercrime, Fraser truly is a “specialist in everything”, and he also has the knack of explaining this tricky and treacherous subject in plain English. Click-and-drag on the soundwaves below to skip to any point.…

Read More
23 Dec

Microsoft Patches Azure Cross-Tenant Data Access Flaw

Information, Malware, News

Microsoft has silently fixed an important-severity security flaw in its Azure Container Service (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. The vulnerability, documented by researchers at Mnemonic, effectively removed the entire network and identity perimeter around  internet-isolated Azure Cognitive Search instances and allowed cross-tenant access to the data plane of ACS instances from any location, including instances without any explicit network exposure. According to Mnemonic researcher Emilien…

Read More
23 Dec

Facebook Agrees to Pay $725 Million to Settle Privacy Suit

Information, News

Facebook parent Meta has agreed to pay $725 million to settle a long-running lawsuit that accused the social network of allowing third parties, including Cambridge Analytica, to access users’ private data. The amount was disclosed in a court filing late on Thursday. “The proposed settlement of $725,000,000 is the largest recovery ever achieved in a data privacy class action and the most Facebook has ever paid to resolve a private class action,” lawyers for the…

Read More