Cybersecurity

Yours truly just popped up on ITV News, offering some advice on the latest from Marks & Spencer on its cyberattack. Nina Hossein told me that she could read the titles on the books behind me - eek!

https://youtube.com/watch?v=6y-X9nKs9Ac&amp%3Bfeature=shared

#cybersecurity #ransomware #databreach

If you're creating an application that displays URLs to users (chat app for example), please make sure to apply spoof checks to avoid use of UTF-8 confusables in IDN homograph attacks. You may want to block URLs with hostnames that get flagged, or display them in #punycode instead.

As an example, see https://github.com/chromium/chromium/tree/main/components/url_formatter/spoof_checks

In particular https://github.com/chromium/chromium/blob/8e070073d47861b8bfc7548dce8fcfc708a356fb/components/url_formatter/spoof_checks/idn_spoof_checker.cc#L177 is quite interesting read.

#cybersecurity #infosec

"Encrypted chat apps like Signal and WhatsApp are one of the best ways to keep your digital conversations as private as possible. But if you’re not careful with how those conversations are backed up, you can accidentally undermine your privacy.

When a conversation is properly encrypted end-to-end, it means that the contents of those messages are only viewable by the sender and the recipient. The organization that runs the messaging platform—such as Meta or Signal—does not have access to the contents of the messages. But it does have access to some metadata, like the who, where, and when of a message. Companies have different retention policies around whether they hold onto that information after the message is sent.

What happens after the messages are sent and received is entirely up to the sender and receiver. If you’re having a conversation with someone, you may choose to screenshot that conversation and save that screenshot to your computer’s desktop or phone’s camera roll. You might choose to back up your chat history, either to your personal computer or maybe even to cloud storage (services like Google Drive or iCloud, or to servers run by the application developer)."

https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups

#CyberSecurity #Privacy #Encryption #Messaging #Signal #WhatsApp

There are security protections, and then there are strong security protections. How to turn on Lockdown Mode for your iPhone and Mac, from @TheVerege@flipboard.com:

https://flip.it/xzuEi5

#Tech #iPhone #Mac #CyberSecurity #Privacy

"Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.

Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US."

https://arstechnica.com/security/2025/05/doge-software-engineers-computer-infected-by-info-stealing-malware/

#CyberSecurity #DOGE #USA #Musk #CISA #FEMA #Malware

"Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.

On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.

This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.

WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”"

https://techcrunch.com/2025/05/06/nso-group-must-pay-more-than-167-million-in-damages-to-whatsapp-for-spyware-campaign/

#CyberSecurity #NSOGroup #Spyware #Pegasus #WhatsApp

"Hackers have targeted GlobalX Air, one of the main airlines the Trump administration is using as part of its deportation efforts, and stolen what they say are flight records and passenger manifests of all of its flights, including those for deportation, 404 Media has learned.

The data, which the hackers contacted 404 Media and other journalists about unprompted, could provide granular insight into who exactly has been deported on GlobalX flights, when, and to where, with GlobalX being the charter company that facilitated the deportation of hundreds of Venezuelans to El Salvador.

“Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a defacement message posted to GlobalX’s website reads. Anonymous, well-known for its use of the Guy Fawkes mask, is an umbrella some hackers operate under when performing what they see as hacktivism."

https://www.404media.co/globalx-airline-for-trumps-deportations-hacked/

#USA #Trump #Deportations #Immigration #ICE #ElSalvador #CyberSecurity #GlobalX #Hacking #Hackitivism #Anonymous

A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages. Read more at @404media. #Signal #TeleMessage #DOD #Tech #Technology #Cybersecurity https://flip.it/TqGyLR

Here is the best explanation of #passkeys I've seen and why they are most secure and, yes, why you should absolutely use them.

As always, it's the inconsistent implementation that makes everything too complicated, and this is true for passkeys. The industry quickly made a terrible mess and got in their own way of getting them adopted. Seems no two companies implement and use them the same way, have the same rules, the same instructions or could even explain them well. A confused market never buys.

Depending on the implementation, they can be used along with password login, a choice between it and password login, or the only choice for logging in.

Microsoft requires new Windows accounts to be passwordless (use passkeys). They aren't messing around. They jumped to the end of the story. Thanks to Microsoft, it's game over. You can kick and scream while being dragged there, but the world is going passkeys, and you're part of the world.

Passkeys eliminate security vulnerabilities often used by scammers while creating a greater risk that you will be locked out. The thing to remember is that nowadays, the chances of being hacked are much greater than the chances of you locking yourself out. And being hacked is much worse for you than getting locked out for a while.

#CyberSecurity

troyhunt.com/passkeys-for-norm…

"A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.

The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.

Data related to Customs and Border Protection (CBP), the cryptocurrency giant Coinbase, and other financial institutions are included in the hacked material, according to screenshots of messages and backend systems obtained by 404 Media."

https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/

#CyberSecurity #Signal #Messaging #Telemessage #Hacking

In a group of 39 organisations and 43 experts we call on Commissioner Virkkunen for a scientific evidence-based approach to #encryption 💪🏽

The announcement from the European Commission about a “Technology Roadmap on encryption” has raised several questions because of plans to enable law enforcement authorities access to encrypted data 🙅🏽‍♀️

We ask for meaningful participation of experts to safeguard #cybersecurity and #Fundamental Rights.

Read the open letter ⤵️
https://edri.org/our-work/technical-experts-call-on-virkkunen-for-a-seat-on-the-table-european-commissions-technology-roadmap-on-encryption/

A security lapse at Raw, a dating app that asks users to upload a daily selfie, publicly exposed the personal data and private location data of its users. @Techcrunch has more:

https://flip.it/Y5z5Ub

#Tech #CyberSecurity #Apps #Technology

"For maybe a decade, North Korean intelligence services have been training young IT workers and sending them abroad in teams, often to China or Russia. From these bases, they scour the web for job listings all over, usually in software engineering, and usually with Western companies. They favor roles that are fully remote, with solid wages, good access to data and systems, and few responsibilities. Over time they began applying for these jobs using stolen or fake identities and relying on members of their criminal teams to provide fictional references; some have even started using AI to pass coding tests, video interviews, and background checks.

But if an applicant lands a job offer, the syndicate needs somebody on the ground in the country the applicant claims to live in. A fake employee, after all, can’t use the addresses or bank accounts linked to their stolen IDs, and they can’t dial in to a company’s networks from overseas without instantly triggering suspicion. That’s where someone like Christina Chapman comes in.

As the “facilitator” for hundreds of North Korea–linked jobs, Chapman signed fraudulent documents and handled some of the fake workers’ salaries. She would often receive their paychecks in one of her bank accounts, take a cut, and wire the rest overseas: Federal prosecutors say Chapman was promised as much as 30 percent of the money that passed through her hands.

Her most important job, though, was tending the “laptop farm.” After being hired, a fake worker will typically ask for their company computer to be sent to a different address than the one on record—usually with some tale about a last-minute move or needing to stay with a sick relative. The new address, of course, belongs to the facilitator, in this case Chapman."

https://www.wired.com/story/north-korea-stole-your-tech-job-ai-interviews/

#CyberSecurity #NorthKorea #IT #RemoteJobs #StateHacking #AI

"Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets.

In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google and WhatsApp, have in recent years also periodically sent such notifications to their users.

As of Wednesday, only two people appear to have come forward to reveal they were among those who received the notifications from Apple this week.

One is Ciro Pellegrino, an Italian journalist who works for online news outlet Fanpage. Pellegrino wrote in an article that he received an email and a text message from Apple on Tuesday notifying him that he was targeted with spyware. The message, according to Pellegrino, also said he wasn’t the only person targeted."

https://techcrunch.com/2025/04/30/apple-notifies-new-victims-of-spyware-attacks-across-the-world/

#CyberSecurity #Apple #Spyware #StateHacking #Surveillance

"Apple’s AirPlay feature enables iPhones and MacBooks to seamlessly play music or show photos and videos on other Apple devices or third-party speakers and TVs that integrate the protocol. Now newly uncovered security flaws in AirPlay mean that those same wireless connections could allow hackers to move within a network just as easily, spreading malicious code from one infected device to another. Apple products are known for regularly receiving fixes, but given how rarely some smart-home devices are patched, it’s likely that these wirelessly enabled footholds for malware, across many of the hundreds of models of AirPlay-enabled devices, will persist for years to come.

On Tuesday, researchers from the cybersecurity firm Oligo revealed what they’re calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple’s proprietary radio-based protocol for local wireless communication. Bugs in Apple’s AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they’re on the same Wi-Fi network as the hacker’s machine. Another set of AirBorne vulnerabilities would have allowed hackers to exploit AirPlay-enabled Apple devices too, Apple told Oligo, though these bugs have been patched in updates over the last several months, and Apple tells WIRED that those bugs could have only been exploited when users changed default AirPlay settings.

Those Apple devices aside, Oligo’s chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions."

https://arstechnica.com/security/2025/04/millions-of-apple-airplay-enabled-devices-can-be-hacked-via-wi-fi/

#CyberSecurity #Apple #AirPlay #Wifi #Hacking #IoT #SmartDevices

"- In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets.

• The malware was delivered through a trojanized version of a legitimate open source word processing and spell check tool developed to support the use of the Uyghur language. The tool was originally built by a developer known and trusted by the targeted community.

• Although the malware itself was not particularly advanced, the delivery of the malware was extremely well customized to reach the target population and technical artifacts show that activity related to this campaign began in at least May of 2024.

• The ruse employed by the attackers replicates a typical pattern: threat actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities.

• This campaign shows the ongoing threats of digital transnational repression facing the Uyghur diaspora. Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities."

https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/

#CyberSecurity #Malware #Spearphishing #China #Uyghurs #Xinjiang #Surveillance

"Defense Secretary Pete Hegseth’s personal phone number, the one used in a recent Signal chat, was easily accessible on the internet and public apps as recently as March, potentially exposing national security secrets to foreign adversaries.

The phone number could be found in a variety of places, including WhatsApp, Facebook and a fantasy sports site. It was the same number through which the defense secretary, using the Signal commercial messaging app, disclosed flight data for American strikes on the Houthi militia in Yemen.

Cybersecurity analysts said an American defense secretary’s communications device would usually be among the most protected national security assets.

“There’s zero percent chance that someone hasn’t tried to install Pegasus or some other spyware on his phone,” Mike Casey, the former director of the National Counterintelligence and Security Center, said in an interview. “He is one of the top five, probably, most targeted people in the world for espionage.”

Emily Harding, a defense and security expert at the Center for Strategic and International Studies, added: “You just don’t want the secretary of defense’s phone number to be out there and available to anyone.”"

https://www.nytimes.com/2025/04/25/us/politics/pete-hegseth-phone-signal.html

#USA #Trump #Pentagon #DoD #CyberSecurity #Defense #Spyware

Die Betrugsmasche Phishing ist mittlerweile recht geläufig. Aber habt ihr schonmal vom sogenannten #Pharming gehört? 🤔
Dabei werdet ihr auf gefälschte Websites gelockt, um vertrauliche Informationen von euch zu stehlen. 🎣

#DeutschlandDigitalSicherBSI #CyberSecurity

"While identifying and categorizing the different failure modes, we broke them down across two pillars, safety and security.

• Security failures are those that result in core security impacts, namely a loss of confidentiality, availability, or integrity of the agentic AI system; for example, such a failure allowing a threat actor to alter the intent of the system.

• Safety failure modes are those that affect the responsible implementation of AI, often resulting in harm to the users or society at large; for example, a failure that causes the system to provide differing quality of service to different users without explicit instructions to do so.

We then mapped the failures along two axes—novel and existing.

• Novel failure modes are unique to agentic AI and have not been observed in non-agentic generative AI systems, such as failures that occur in the communication flow between agents within a multiagent system.

• Existing failure modes have been observed in other AI systems, such as bias or hallucinations, but gain in importance in agentic AI systems due to their impact or likelihood.

As well as identifying the failure modes, we have also identified the effects these failures could have on the systems they appear in and the users of them. Additionally we identified key practices and controls that those building agentic AI systems should consider to mitigate the risks posed by these failure modes, including architectural approaches, technical controls, and user design approaches that build upon Microsoft’s experience in securing software as well as generative AI systems."

#AI #GenerativeAI #AIAgents #AgenticAI #AISafety #Microsoft #CyberSecurity #LLMs #Chatbots #Hallucinations

We’ve all made some embarrassing tech flubs, but a recent spate of questionable decisions, including U.S. Secretary of Defense Pete Hegseth’s sharing of top-secret military plans, facilitates this observation: Government officials are kinda bad at tech. @Techcrunch has more on these cautionary tales and how to avoid some of them:

https://flip.it/C-EkXg

#Tech #Security #CyberSecurity #Hegseth

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam

"Inherent security flaws are raising questions about the safety of AI systems built on the Model Context Protocol (MCP).

Developed by Anthropic, MCP is an open source specification for connecting large language model-based AI agents with external data sources — called MCP servers.

As the first proposed industry standard for agent-to-API communication, interest in MCP has surged in recent months, leading to an explosion in MCP servers.

In recent weeks, developers have sounded the alarm that MCP lacks default authentication and isn’t secure out of the box — some say it’s a security nightmare.

Recent research from Invariant Labs shows that MCP servers are vulnerable to tool poisoning attacks, in which untrusted servers embed hidden instructions in tool descriptions.

Anthropic, OpenAI, Cursor, Zapier, and other MCP clients are susceptible to this type of attack..."

https://thenewstack.io/building-with-mcp-mind-the-security-gaps/

#AI #GenerativeAI #AIAgents #AgenticAI #MCP #APIs #CyberSecurity #LLMs

"The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.

"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.

Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said.

The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related."

https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

#EU #Germany #Iran #CyberSecurity #StateHacking #Spyware #APT42 #APT35

If there were a single thing I'd want to convey to potential future #cybersecurity professionals: Hacking is fun, but reporting is the most important part.

You can be the best hacker in the world, but all that is in vain if you can't convey what you did and how to prevent it.

You should spend time getting better at reporting, along with the technical skills.

#thoughtoftheday

"Between the lines: Signal isn't to blame for the federal government's operational security failures. But two encrypted communications companies told Axios they've had more customer calls and downloads since The Atlantic's first story about military strike leaks over Signal.

"It's definitely skyrocketed," Andersen said. "It definitely has accelerated interest and traction on a number of fronts, for sure."
Kibu came out of beta in January, and its user base is now projected to double this quarter compared with the first three months of the year, Andersen said. Kibu's users include small family financial wealth management offices, bigger financial institutions and privacy-minded individuals.

Jeff Halstead, founder of Genasys Connect, an encrypted communications tool popular with law enforcement, told Axios that after the initial stories, he had several conversations with law enforcement and city governments.

"They're all using Signal," he said."

https://www.axios.com/2025/04/22/signalgate-encryption-trump-administration-downloads

#CyberSecurity #Encryption #Signal #Privacy #Encryption #SignalGate #USA #Trump