Security

Apple has released a patch for a potentially serious iPhone bug. It's worth double-checking the patch was installed automatically and forcing it to do so if it has not. The fix comes in version 15.0.2 of iOS and patches an actively exploited ... zero-day bug. That means attackers not only know about the security hole but were already using it before Apple could release a fix. In other words, Apple had a "zero days" head start in the battle between patching and hacking. The bug involves memory corruption and means a correctly-targeted attack could allow malware to access parts of the memory that ... (view more)

Google is giving free USB security keys to around 10,000 users whose accounts are at particular risk. They include politicians and human rights activists. The move follows a targeted campaign linked to Russian hackers to try to trick such users into ... revealing their passwords. The attackers could then not only look for sensitive information in email archives but also use the hijacked accounts to spread misinformation. The USB keys use the two-factor authentication approach , adding an extra level of protection, meaning that simply getting somebody's password wasn't necessarily enough to get ... (view more)

Google is switching on two-factor authentication by default for 150 million users. It's also making it mandatory for two million people who upload videos to YouTube. The system means no longer relying on passwords as the only way to control access ... to account. Instead it adds a second method such as getting a security code on a particular phone. Two-Factor versus "Two-Step" Verification Google calls the concept two-step verification, though that doesn't really describe it properly. The more commonly used "two factor" term refers to the idea of combining different types of ... (view more)

Scammers have developed a new tactic to spread malware. It's a piece of evil genius with the emphasis strictly on the evil. The scam involves a piece of malware that targets Android phones. It's dubbed FluBot, though that appears to be more a ... reference to the way it's designed to quickly spread rather than having any connection to human illnesses. FluBot first appeared earlier this year in a fairly conventional form. It starts with unsolicited text messages claiming to be from a courier company that was unable to make a delivery. The culprits appear to have been taking advantage of people ... (view more)

Apple has patched a security flaw that could compromise phones and tablets just by users receiving a message. The exploit would use an attachment in iMessages but wouldn't require the user to click or open it. It's a potentially very serious flaw ... though ironically that may be the saving factor for most ordinary users. Because it's so serious, experts believe it's most likely to be used for highly targeted attacks. The bug was discovered by researchers at the University of Toronto, who say it's an example of "zero-click spyware". While they've seen similar attacks on Apple devices before, it's ... (view more)

Security experts have warned users to take extra care opening Microsoft Office files. An unpatched bug in Internet Explorer can affect users regardless of their preferred browser. The bug takes advantage of the way Office files can open links in ... Internet Explorer. It means that attackers can craft Office files that, once opened, automatically load an "attack" page in Internet Explorer that installs malware. Exactly what malware to install is up to the attacker. There is some protection for some users. In many cases, Office will by default open a document in Protected View, which blocks links ... (view more)

T-Mobile is investigating claims a hacker stole sensitive data about more than 100 million customers. It hasn't confirmed or denied claims. The haul included social security numbers and driver license information. The alleged breach was first ... reported by Motherboard, which spotted a hacker forum post from somebody attempting to steal the data. The would-be seller says it comes from multiple T-Mobile servers and contains "full customer info" on US customers. The seller claims the haul includes names, phone numbers and physical addresses, along with IMEI numbers that identify individual ... (view more)

A government agency says three "random" words make for a better password than many other approaches. It says other strategies such as adding symbols and numbers can be counterproductive. The advice comes from the National Cyber Security Center ... (NCSC). That's a body in the United Kingdom that deals with major security breaches and gives advice to businesses and other government organizations. According to the NCSC, the advice is aimed at people who try to remember passwords. It says password manager tools are a good solution but remain widely unused. (Source: gov.uk ) Predictable Appr0@ch! The ... (view more)

A Senate committee has slammed cyber security in eight federal government agencies. The committee said most were failing basic security standards and had shown minimal improvements since a previous report. The report comes from the Committee on ... Homeland Security and Governmental Affairs. It followed up on a similar report from another committee in 2019. Both reports looked at issues including: Whether the agencies adequately protected personal information. Whether they kept track of the various IT equipment and systems they used. Whether they installed security patches quickly enough. Whether ... (view more)

A security company has warned that scammers are using bogus copies of Windows 11 to distribute malware. Kaspersky reminds users that Microsoft's Windows Insider test program is the only place to get the real deal. While the average user can safely ... wait until the system's official release, tech enthusiasts may be eager to get their hands on Windows 11. That interest may well rise in the coming days with the first release of a beta edition that, in theory at least, is complete and much less likely to crash than the currently available "dev" edition. Kaspersky notes that several rogue sites are ... (view more)