CyberSecurity Updates

Investigation launched into Twitter after 400m user details posted on hacking fo…

A dataset allegedly containing the email addresses and phone numbers of more than 400 million Twitter users has been put up for sale on hacking forum Breached Forums. The dataset was uploaded to Breached Forums on December 23, 2022, by a hacker going by the screen name ‘Ryushi’. The hacker claimed to have collected the data using data scraping techniques and a now-patched vulnerability in the social media site’s software in 2021 and demanded US$200,000…

Read More

Why it might be time to consider using FIDO-based authentication devices

Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login…

Read More

The world’s most common passwords: What to do if yours is on the list

Do you use any of these extremely popular – and eminently hackable – passwords? If so, we have a New Year’s resolution for you. Security experts have been predicting the death of the password for well over a decade. But it’s still the main way we log-in to our online accounts and mobile applications. Why? Because we all know exactly how to use them. And many of us are reluctant to learn new ways. It…

Read More

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

by Naked Security writer It looks like the sort of meeting room you might find in startups all over the world: diffuse lighting from windows down one wall, alongside a giant poster cityscape of New York’s Brooklyn Bridge, with the Manhattan skyline towering behind it. The difference in this case is that that the computer workstations around the room are there for a different sort of “entrepreneurial” venture, and the room is empty not because…

Read More

New Malware Campaign Uses Stolen Bank Information as Lure

Threat actors with access to stolen, sensitive data have many options to utilize this data in a malicious manner. In this case, the threat group decided to use confidential data as lures in phishing emails to carry out a second attack against victims. Whenever a company is alerted to a breach and makes it public, all customers who believe they may have had data compromised should remain vigilant to the use of this data in…

Read More

Recently Discovered Linux Malware Packs 30 Plugin Exploits for WordPress

WordPress is a very common website platform because it is free and easy to use, but this also makes it a more desirable target for threat actors. Keeping a WordPress site up to date is crucial. Fortunately, WordPress does have an automatic update feature which Binary Defense strongly recommends that users enable. Because many plug-ins are community created and distributed, often times critical updates can be slow to release, if an update comes at all.…

Read More

Netgear WiFi Routers Receive Update For Critical Vulnerability

Users of the above Netgear devices should update their firmware as soon as possible. Netgear support documentation provides update instructions for affected users: 1. Visit NETGEAR Support: https://www.netgear.com/support/2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.3. If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for…

Read More

Researcher Says Google Paid $100k Bug Bounty for Smart Speaker Vulnerabilities

Security researcher Matt Kunze says Google paid him a $107,500 bug bounty reward for responsibly reporting vulnerabilities in the Google Home Mini smart speaker. The issues, the researcher says, could have been exploited by an attacker within wireless proximity to create a rogue account on the device and then perform various actions. According to Kunze, the attacker could use the account to send remote commands to the device, over the internet, to access the microphone,…

Read More

PyTorch suffers supply chain attack via dependency confusion

Users who deployed the nightly builds of PyTorch between Christmas and New Year’s Eve likely received a rogue package as part of the installation that siphoned off sensitive data from their systems. The incident was the result of an attack called dependency confusion that continues to impact package managers and development environments if hardening steps are not taken. “If you installed PyTorch nightly on Linux via pip between December 25, 2022, and December 30, 2022,…

Read More

LockBit apologizes for ransomware attack on hospital, offers decryptor

LockBit, a prominent ransomware-as-a-service (RaaS) operation, has apologized for an attack on the Toronto-based Hospital for Sick Children, also known as SickKids, and offered a free decryptor.  SickKids, a major pediatric teaching hospital, announced on December 19 that it had called a Code Grey system failure, as it was responding to a cybersecurity incident that was affecting several network systems at the hospital. The incident impacted some internal clinical and corporate systems, as well as…

Read More