Articles about Security

Google's Chrome browser may be popular, but you'll find a lot of its users complain about high memory usage. With Chrome 67, things just got even worse.

If you've noticed that Chrome on the desktop is using more RAM, you're not imagining it. Google has enabled a Site Isolation feature in Windows, Mac, Linux and Chrome OS to help mitigate against the Spectre vulnerability -- and it's a bit memory-hungry.

Continue reading →

It seems that the Spectre and Meltdown vulnerabilities saga is never-ending, and now there are two new related CPU flaws to add to the mix. Dubbed Spectre 1.1 and Spectre 1.2, the vulnerabilities (CVE-2018-3693) exploit speculative execution and can modify data and bypass sandboxes.

Two security researchers have disclosed details of the new vulnerabilities, both of which have the potential to leak sensitive data. By tinkering with the speculative execution processes of Intel and ARM CPUs, it would be possible to use malicious code to extract information such as passwords and crypto keys.

Continue reading →

The security breach suffered by Timehop on July 4 was much more serious than the company first thought. In an update to its original announcement, the company has revealed that while the number of account affected by the breach -- 21 million -- has not changed, the range of personal data accessed by hackers is much broader.

Timehop has released an updated timeline of events, having initially felt forced by new GDPR rules to publish some details of the breach before all information had been gathered. The company says that it is also unsure of where it stands with GDPR, and is working with specialists and EU authorities to ensure compliance.

Continue reading →

Three Arch Linux packages have been pulled from AUR (Arch User Repository) after they were discovered to contain malware. The PDF viewer acroread and two other packages that are yet to be named were taken over by a malicious user after they were abandoned by their original authors.

A user by the name of xeactor took ownership of acroread and tweaked the source code of the package, lacing it with malware. In this particular instance there were no major consequences, but it highlights the security issues associated with user-submitted software.

Continue reading →

Once a user is logged on, they typically have access to a wealth of sensitive applications and systems. Strong authentication at the front door therefore helps boost the overall security of the entire system.

A new adaptive authentication system developed by identity automation specialist SecureAuth Corp + Core Security, is available for Windows and Mac systems enabling adaptive and multi-factor authentication for users logging into servers, desktops, and laptops.

Continue reading →

Even if you’re not a soccer/football fan, it probably hasn't escaped your notice that there's a World Cup going on in Russia at the moment.

We expect big sporting events to be exploited to launch phishing and malware campaigns but researchers at Enigma Software have spotted an interesting new phenomenon -- malware infections actually drop on match days.

Continue reading →

The sprawling and complex set of subjects we call cyber security can all be tied to one fundamental concept -- time. The time it takes a cyberattack to penetrate, the time from initial compromise to lateral movement across the network, the time it takes for an attack to be detected, to be analyzed, to be responded to and remediated.

Time is one of seven base quantities in the International System of Units upon which all other measures are constructed. No surprise then that it’s the single most important factor in cybersecurity program success.

Continue reading →

Apple is working away on iOS 12 at the moment, but it's still pushing out updates for iOS 11. As promised just a few weeks ago, a new update aims to block the use of iPhone passcode cracking tools, such as those used by law enforcement. But the patch has already been found to be flawed.

The latest update to iOS introduces a new USB Restricted Mode which is supposed to prevent the Lightning port of an iPhone or iPad being used to transfer data an hour after the device is locked. However, security researchers discovered that it is possible to bypass this security feature by plugging in an "untrusted USB accessory" -- and Apple sells such a device for just $39.

Continue reading →

Penetration testing company Positive Technologies has released some alarming figures surrounding the vulnerability of corporate networks to insider attacks.

During testing performed as an internal attacker, the company's researchers were able to obtain full control of infrastructure on all the corporate networks they attempted to compromise. Only seven percent of systems were assessed as having 'moderate' difficulty of accessing critical resources.

Continue reading →

According to a new study, 68 percent of IT professionals believe their organizations are failing to carry out all procedures in line with data protection laws.

The report from digital security specialist Gemalto also shows 65 percent of companies are unable to analyze all the data they collect and only just over half (54 percent) know where all of their sensitive data is stored.

Continue reading →

It's not all that long since fitness app Strava caused something of a security nightmare by inadvertently revealing the locations of numerous secret military bases. Now another app -- Polar Flow this time -- has gone a step further and revealed the names and home addresses of nearly 6,500 users.

A joint investigation by Bellingcat and Dutch journalism platform De Correspondent found that the app is "revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world".

Continue reading →

Timehop -- the social network for those who like to reminisce -- has revealed that it fell victim to a security breach on Independence Day. The attacker managed to access an internal database stole the personal data of 21 million users from Timehop's Cloud Computing Environment.

The vast majority of those affected by the "security incident" (as Timehop refers to it) had their names and usernames exposed, but for nearly a quarter of them -- 4.7 million -- phone numbers were also exposed. The hacker also took access tokens which could be used to view users' posts.

Continue reading →

The team behind Gentoo Linux has revealed the reasons for the recent hack of its GitHub organization account. The short version: shoddy security.

It seems that the hackers were able to gain access to the GitHub organization account by using the password of one of the organization administrators. By the team's own admission, poor security meant that the password was easy to guess. As the Register points out, "only luck limited the damage", but the Gentoo Linux team is keen to let it be known that it has learned a lot from the incident.

Continue reading →

While businesses spend a lot of time and effort putting up technical defenses to protect their systems, often the weakest spot is the users.

Employees can do harm to the business by visiting infected websites, responding to phishing emails, using business email through public Wi-Fi and more. Spam filtering service EveryCloud has put together an infographic looking at why it’s therefore important for companies to offer cybersecurity training.

Continue reading →

Binance -- the largest cryptocurrency exchange in the world -- temporarily halted all trading after it detected "irregular trading on some APIs".

As a precautionary measure, the exchange removed all existing API keys and asked users to re-create theirs from their accounts. The measure meant a suspension of trading, withdrawals and other account activity. The matter is related to the Bitcoin fork Syscoin which halted deposits and withdrawals, but Binance stressed that there had not been as hack and that its blockchain is safe.

Continue reading →