Monthly Archives: March 2013

"We apologise for the previous apology" - NZ gov dept in email CC: double-blunder

A government department in New Zealand has had to apologise twice after mixing up CC: and BCC: when apologising for mixing up CC: and BCC:.

It's a really easy mistake to make, so take a moment to remind yourself why it's a bad idea...

Many Amazon S3 cloud storage users are exposing sensitive company secrets, claims report

Amazon S3 buckets full of holes

A security researcher tested a slew of (probably inappropriately misconfigured) storage buckets and found about one in six were open to the public, exposing content we think companies would probably have preferred remain private.

Lisa Vaas explores what has happened.

Rohypnol, rape and other disturbing content. Isn't it about time Facebook cleaned up its act?

Rohypnol, rape and other disturbing content. Isn't it about time Facebook cleaned up its act?

Facebook should be doing more to protect its billion users from abuse, argues Graham Cluley.

Can any social network defend taking no proactive action against pages which promote date-rape drug Rohypnol and have obviously offensive content?

Spring ushers in US tax scam season

Spring ushers in US tax scam season

To remind taxpayers to be on the lookout for scams ranging from identity theft to return-preparer fraud, the IRS posted its Dirty Dozen list of tax scams for 2013.

Massive DDoS attack against anti-spam provider impacts millions of internet users

shutterstock_Disconnect250

The largest recorded DDoS attack has been ongoing for over eight days now, causing slowdowns and errors throughout the internet. Is this a one time scenario or does this expose a greater weakness in the world's largest network?

Spicing up phishing attacks

Spicing up phishing attacks

Phishing is often regarded as old hat. From a technical perspective, it's a case of 'been there, done that'. Sometimes however, we come across attacks that are just a little bit more interesting (or at least different) from the norm.

The 'What's Worse Security Championships'

Worse image

With March Madness Basketball in full swing in America, we thought it might be fun to try and adapt the concept of sport championships to the land of IT security.

SSCC 105 - HP printers, Google blocks ad blockers, Apple does the 2-step, and more...

sscc-105-250

Have you joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 105, discussing a range of recent and newsworthy topics from the world of computer security.

Spanish Linux group runs to teacher, complains about Microsoft's Secure Boot

Spanish open source association Hispalinux, reports Reuters, has officially complained to the European Commission about the Windows 8 Secure Boot system.

Paul Ducklin gets quizzical about what happens next...

Interview with Writer/Director of "Code 2600" and BSides Austin organizers [PODCAST]

Code2600-250

Chet inteviews the writer and director of hacker film "Code 2600" and Austin BSides organizers/consultants Michael Gough and Ian Robertson. We also introduce the new Kickstarter Hackers in Uganda.

Five Slovenians arrested for $2.5M email banking fraud

email scammer

Slovenian police on Thursday raided 12 homes and arrested five Slovenian citizens in connection with sending malware-packed email to small and medium businesses' accounting departments.

Anatomy of a "feature" - should JavaScript be allowed to change a web link *after* you click on it?

A young web coding enthusiast from Manchester, UK, recently published a thought-provoking hackette intended to highlight the risks of relying only on "look before you click."

Paul Ducklin wants to know what you think of it...

17-year-old arrested for hacking into phones, stealing and distributing explicit images of children

17-year-old arrested for hacking into phones, stealing and distributing explicit images of children

A US teenager is charged with distributing child pornography after allegedly hacking minors' cellphones through an SMS ad that installed malware, giving him access to the phones' content.

Monday review - the hot 21 stories of the week

Monday review - the hot stories of the week

It's weekly roundup time. Here's all the great stuff we've written in the past seven days.

Apple password reset website - gaping hole found, fixed

apple-env-250

Apple has had a good-bad-good-bad week of it in the computer security environment.

Its announcement of two-step verification for some users was quickly followed by a report of a password recovery exploit for everyone else...

Anatomy of a bug - "Battlefield: Play4Free" hole allows dodgy updates to go unnoticed

A pair of Maltese vulnerability researchers have found a security hole in Battlefield: Play4Free from digital games giant EA.

The vulnerability abuses the fact that different versions of Windows deal differently with erroneous input to the function used to start new processes.

Fake Zendesk security notice spammed out, directs traffic to Canadian drug websites

Fake Zendesk security notice spammed out, directs traffic to Canadian drug websites

Should you trust the security notice you have just been emailed, telling you to watch out for scam emails and to use hard-to-crack passwords?

Perhaps not...

Apple introduces two-factor verification for Apple IDs

apple-id-icons-250

After celebrity Web 2.0 journalist Mat Honan had all his iDevices remote-wiped by a cybercrook last year, Apple's login security has been under scrutiny.

Good news! Apple has finally bitten the bullet and started offering two-factor verification for Apple ID users...

IT admin pleads guilty to hacking into and spying on New Jersey mayor's email

IT admin pleads guilty to hacking into and spying on New Jersey mayor's email

Patrick Ricciardi configured computer systems to collect all emails sent to the mayor and two high-ranking city employees.

He did it, he said, to see if his job was secure. We can say with reasonable certainty now that it is not.

BBC Weather's Twitter account is hijacked by Syrian Electronic Army

BBC Weather's Twitter account is hijacked by Syrian Electronic Army

The official Twitter account used by the BBC's weather team has been hijacked by Syrian hackers.

Fortunately, they don't seem to be using it to spread malicious links - but are instead trying to spread political messages about Syria instead.