Information

22 Nov

Life in pursuit of answers: In the words of Ada Yonath

Information

From a little girl financially helping her family in Jerusalem to a Nobel Prize laureate. That is the exceptional life of Ada Yonath in a nutshell. The first female Israeli Nobel Laureate and the fourth woman in the world to be awarded the Nobel Prize in Chemistry, Ada Yonath has dedicated her life to the pursuit of answers to the most crucial scientific questions and to advancing progress in her field. Her curiosity and her…

Read More
22 Nov

How to hack an unpatched Exchange server with rogue PowerShell code

Information, Uncategorized

by Paul Ducklin Just under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange. As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082: [were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself. The first…

Read More
22 Nov

Leaked Algolia API Keys Exposed Data of Millions of Users

Information, News

Threat detection firm CloudSEK has identified thousands of applications leaking Algolia API keys, and tens of applications with hardcoded admin secrets, which could allow attackers to steal the data of millions of users. Organizations can use Algolia’s API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk. CloudSEK says it has identified 1,550 applications that leaked Algolia API…

Read More
21 Nov

How social media scammers buy time to steal your 2FA codes

Information

by Paul Ducklin Phishing scams that try to trick you into putting your real password into a fake site have been around for decades. As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because: Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus…

Read More
21 Nov

California County Says Personal Information Compromised in Data Breach

Information, News

The County of Tehama, California, has started informing employees, recipients of services, and affiliates that their personal information might have been compromised in a data breach. The incident, Tehama County says, was identified on April 9, but the investigation into the matter stretched to August 19, when it was determined that personally identifiable information (PII) was compromised. The investigation revealed that an unauthorized third-party had access to the county’s systems between November 18, 2021, and…

Read More
19 Nov

Latest insights on APT activity – Week in security with Tony Anscombe

Information

What have some of the world’s most notorious APT groups been up to lately? A new ESET report released this week has the answers. What have advanced persistent threat (APT) groups been up to lately? This week, the ESET Research team published their inaugural APT Activity Report, which reviews the activities of selected APT threat actors as observed, investigated, and analyzed by ESET’s experts from May to August of this year. The report specifically looks…

Read More
18 Nov

Tor vs. VPN: Which should you choose?

Information

Both Tor and a VPN can greatly help you keep prying eyes away from your online life, but they’re also two very different beasts. Which suits your needs better? People who want to keep their online activities private are often faced with the question – should I use a virtual private network (VPN) or the Tor anonymity network? What are the advantages and downsides of each? There’s definitely a lot to go through before making a choice. Wait…

Read More
18 Nov

Atlassian Patches Critical Vulnerabilities in Bitbucket, Crowd

Information, News

Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products. In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8. “There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue…

Read More
18 Nov

Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware

Information, Malware, News

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns. DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware. Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software…

Read More
18 Nov

Ukrainian Hacker Sought by US Arrested in Switzerland: Report

Information, News

A Ukrainian hacker sought by US authorities for a decade was arrested last month in Switzerland, the specialist website Krebs on Security reported. Vyacheslav Igorevich Penchukov, 40, was arrested in the Swiss canton of Geneva on October 23 while visiting his wife, the site reported. Swiss authorities confirmed to the news website Watson the arrest of a Ukrainian national sought by US authorities who is refusing extradition, but did not identify the suspect by name.…

Read More