A self-proclaimed “super hacker” causes problems in the Magic Kingdom, criminals regret trusting Anom phones, and lawsuits are filed against TikTok.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.

Plus don’t miss our featured interview with Scott McCrady, the CEO of SolCyber Managed Security Services.

Read More

Turn on a PC running Microsoft Windows 8.1 and you’re likely to be greeted with a full-screen message warning that the operating system will no longer be supported after 10 January 2023, and – critically – will no longer be receiving any security updates.

Read More

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.

Read more in my article on the Tripwire State of Security blog.

Read More

Graham Cluley Security News is sponsored this week by the folks at Keeper Security. Thanks to the great team there for their support! IT and DevOps teams were presented with new challenges with the mass-migration to home working, and found themselves forced to perform infrastructure monitoring and management remotely. What is clearly needed is a … Continue reading “Keeper Connection Manager : Privileged access to remote infrastructure with zero-trust and zero-knowledge security”

Read More

CIS-CAT Pro Assessor now offers a new filter in the HTML report that allows organizations to focus on IG1 recommendations.

Read More

Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another:

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

[…]

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

Read More

The ITRC reports a decline in publicly reported breaches in H1 2022

Read More