Cybersecurity

"Since 3.5-sonnet, we have been monitoring AI model announcements, and trying pretty much every major new release that claims some sort of improvement. Unexpectedly by me, aside from a minor bump with 3.6 and an even smaller bump with 3.7, literally none of the new models we've tried have made a significant difference on either our internal benchmarks or in our developers' ability to find new bugs. This includes the new test-time OpenAI models.

At first, I was nervous to report this publicly because I thought it might reflect badly on us as a team. Our scanner has improved a lot since August, but because of regular engineering, not model improvements. It could've been a problem with the architecture that we had designed, that we weren't getting more milage as the SWE-Bench scores went up.

But in recent months I've spoken to other YC founders doing AI application startups and most of them have had the same anecdotal experiences: 1. o99-pro-ultra announced, 2. Benchmarks look good, 3. Evaluated performance mediocre. This is despite the fact that we work in different industries, on different problem sets. Sometimes the founder will apply a cope to the narrative ("We just don't have any PhD level questions to ask"), but the narrative is there.

I have read the studies. I have seen the numbers. Maybe LLMs are becoming more fun to talk to, maybe they're performing better on controlled exams. But I would nevertheless like to submit, based off of internal benchmarks, and my own and colleagues' perceptions using these models, that whatever gains these companies are reporting to the public, they are not reflective of economic usefulness or generality."

https://www.lesswrong.com/posts/4mvphwx5pdsZLMmpY/recent-ai-model-progress-feels-mostly-like-bullshit

#AI #GenerativeAI #LLMs #Chatbots #CyberSecurity #SoftwareDevelopment #Programming

"I'm not the only person for whom a detailed knowledge of scams created immunity from being scammed. Troy Hunt is the proprietor of HaveIBeenPwned.com, the internet's most comprehensive and reliable breach notification site. Hunt pretty much invented the practice of tracking breaches, and he is steeped – saturated – in up-to-the-minute, nitty-gritty details of how internet scams work.

Guess who got phished?
(...)
Hunt had just gotten off a long-haul flight. He was jetlagged. He got a well-constructed, plausible counterfeit email from Mailchimp telling him that his mailing-list – which he absolutely relies upon – had been frozen after a spam complaint, and advising him to click on a link to contest the suspension. He was taken to a fake login screen that his password manager didn't autopopulate, so he manually pasted the password in (Mailchimp doesn't have 2FA). It was only when the login session hung that he realized he'd been scammed – and by then, it was too late. Within minutes, his mailing list had been exported by the scammers.

In his postmortem of the scam, Hunt identifies the overlapping factors that made him vulnerable. He was jetlagged. The mailing list was important. Bogus spam complaints are common. Big corporate sites like Mailchimp often redirect their logins through different domains, which causes password manager autofill to fail. Hunt had experienced near-identical phishing attempts before and spotted them, but this one just happened to land at the very moment that he was vulnerable. Plus – as with my credit union scam – it seems likely that Mailchimp itself had been breached (or has an insider threat), which allowed the scammers to pad out the scam with plausible details that made it seem legit."

https://pluralistic.net/2025/04/05/troy-hunt/#teach-a-man-to-phish

#Scams #Phishing #CyberSecurity

To me, it's idiocy to design a complex email security system consisting of spf and DKIM checks, leading to emails coming in from scammers that are screaming, I'M SPAM!!, but then get delivered anyway because the very same scammer sets up a dmarc record in their DNS that simply says, yes, my stuff is obvious dangerous spam, but deliver it anyway. And the mail clients go, OK, if you say so.

They gave scammers and spammers a spam detection kill switch?

Why have all this in place if a scammer can just tell my email client it must deliver their junk? Why don't email clients at least put the email into the inbox in red if it fails spf and DKIM and the domain was created 10 minutes ago? Or at least give me the option to send email that fails spf to a special folder?

The Scam:
A scammer registers a new domain (e.g., totalBS.com).

They set up a DMARC record for that domain with p=none that instructs the email client to ignore the spf and DKIM failures.

They send out phishing emails from that domain, often spoofing legitimate addresses.

Even though SPF and DKIM checks fail, receiving mail servers honor DMARC and deliver it anyway, bypassing a significant layer of email security.

Why bother setting up this who complicated scheme then?

What got me started is that hotmail put one of these into my inbox today, and I just couldn't believe they presented it to me like any other email when all security checks clearly failed because of spoofing.

#CyberSecurity #Phishing

"Google is updating Gmail to allow enterprise users to send encrypted messages to any inbox in just a few clicks. Google says it’s developed a new encryption model that, unlike the current encryption feature on Gmail, doesn’t require senders or recipients to use custom software or exchange encryption certificates.

The feature is rolling out in beta starting today, and will initially be available for Google enterprise users to send encrypted emails to other Gmail users within the same organization. Google says this will expand to emails sent to any Gmail inbox “in the coming weeks,” and to inboxes from any third-party email provider “later this year.”

Gmail’s current encryption feature, based on the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, can already be used to send external emails. Doing so requires the recipient to have S/MIME configured and complete multiple steps with the sender before emails can be securely exchanged, however."

https://www.theverge.com/news/640422/google-gmail-email-encryption-enterprise-beta

#Google #CyberSecurity #Encryption #Privacy #eMail

HellCat - the ransomware gang that has been known to demand payment... in baguettes!

Are they rolling in the dough? Bread all about it in my article on the Tripwire blog: https://www.tripwire.com/state-of-security/hellcat-ransomware-what-you-need-know

#cybersecurity #ransomware

"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.

Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.

There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.

Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.

Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."

https://nordicapis.com/9-signs-youre-doing-api-security-wrong/

#API #APIs #APISecurity #APIDesign #WebSecurity #CyberSecurity

"It is now time to fix it for good. A new solution has been proposed: partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition:

• Link URL. The destination of the visited link.
• Top-Level Site. The domain of the main browsing context.
• Frame Origin. The origin of the frame rendering the link.

A link is only styled as :visited if it was visited from the same top-level site and frame origin (...) This approach guarantees isolation and works well with the web's same-origin policy. The system records only navigations initiated by link clicks or scripts—excluding direct address bar entries or bookmark navigations.

Key benefits of this model include: strong protection against cross-site history leaks, solving for good of many known side-channel attacks, support for meaningful styling within trusted, same-context domains, conforming to established web privacy principles and data protection regulations.

This feature is already implemented in Chrome (v132, behind a #partition-visited-link-database-with-self-links flag). I am confident that in 2025 we are going to have this privacy headache solved once and for all."

https://blog.lukaszolejnik.com/fixing-web-browser-history-leaks/

#CyberSecurity #WebSecurity #Privacy #WebBrowser #WebBrowserHistory

"We don’t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn’t crazy to worry that the NSA might again start monitoring domestic communications.

Because of the Signal chat leak, it’s less likely that they’ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the US government lies in the fact that the US government shares their vulnerabilities. No one wants their secrets exposed.

I have long advocated for a "defense dominant" cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator—and now that they are being used for what the White House now calls calls "sensitive," if not outright classified conversations among cabinet members—we need them to be as secure as possible. And that means no government-mandated backdoors.

We may find out more about how officials—including the vice president of the United States—came to be using Signal on what seem to be consumer-grade smartphones, in a apparent breach of the laws on government records. It’s unlikely that they really thought through the consequences of their actions.

Nonetheless, those consequences are real. Other governments, possibly including US allies, will now have much more incentive to break Signal’s security than they did in the past, and more incentive to hack US government smartphones than they did before March 24.

For just the same reason, the US government has urgent incentives to protect them."

https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html

#USA #CyberSecurity #Signal #Encryption #Backdoors #Privacy #NSA #StateHacking

Woke this morning with an email from #Scotia bank about my account. I don't have a Scotia account.

Usually, I ignore these as phishing, but I have a #Thunderbird add-on that tells me when SPF and DKIM pass. And the "from" domain was truly scotia bank. So, yes, it did come from them.

Spent 30 minutes on the phone bouncing around, queuing and waiting while they checked. Their conclusion is that their customer carelessly entered my email address instead of their own, and they will contact the customer.

Two things.

Email addresses should always be validated with an OTP. When will banks learn this?

Second: Some people are a pain in the ass.

#banking #phishing #cybersecurity

Cybersecurity and cloud computing organization Akamai signs multi-year agreement to host https://kernel.org/
https://www.linux-magazine.com/Online/News/Akamai-Will-Host-kernel.org
#Linux #kernel #Akamai #hosting #infrastructure #CNCF #AlpineLinux #containers #cloud #cybersecurity

£3 million fine for healthcare MSP with sloppy security after it was hit by ransomware attack.

Sensitive data related to almost 80,000 people exposed, and NHS services disrupted.

Read more in my article on the Exponential-e blog: https://www.exponential-e.com/blog/3-million-fine-for-healthcare-msp-with-sloppy-security-after-it-was-hit-by-ransomware-attack

#cybersecurity #ransomware #databreach #nhs

“Enter your email” is a phrase we see all too often. With so much of the internet now requiring that you hand over your email address before using any services, you can still protect your privacy. @AssociatedPress provides these pointers on the whys and hows of email masking:

https://flip.it/k20L9_

#Tech #Email #CyberSecurity #Internet

"Oracle isn’t commenting on recent reports that it has experienced two separate data breaches that have exposed sensitive personal information belonging to thousands of its customers.

The most recent data breach report, published Friday by Bleeping Computer, said that Oracle Health—a health care software-as-a-service business the company acquired in 2022—had learned in February that a threat actor accessed one of its servers and made off with patient data from US hospitals. Bleeping Computer said Oracle Health customers have received breach notifications that were printed on plain paper rather than official Oracle letterhead and were signed by Seema Verma, the executive vice president & GM of Oracle Health.

The other report of a data breach occurred eight days ago, when an anonymous person using the handle rose87168 published a sampling of what they said were 6 million records of authentication data belonging to Oracle Cloud customers. Rose87168 told Bleeping Computer that they had acquired the data a little more than a month earlier after exploiting a vulnerability that gave access to an Oracle Cloud server."

https://arstechnica.com/security/2025/03/oracle-is-mum-on-reports-it-has-experienced-2-separate-data-breaches/

#CyberSecurity #Oracle #DataBreaches #DataProtection

"[T]he main thing that people need to understand about Signal is that messages are encrypted from my phone to your phone in such a way that Signal can't read them as they go through their servers. The government could not read them off of Signal servers even with a warrant, even if they really wanted to. But if somebody has access to your phone, they can read those messages the same way you can by looking at them with their eyeballs because the messages have to be decrypted for you to read.

Now, there are a lot of ways that you can get access to somebody's phone. You can look over their shoulder while they're reading their messages, right? You can find out their password and unlock their phone, right? You can use forensic tools that police have like a Cellebrite or a break-in device to unlock phones, and then you can read the messages that way. You can also use malware. Installing malware on somebody's phone is a way that governments often gain access to people's private encrypted communications. Things like Pegasus malware or they're recently written about malware from Paragon Solutions that was going after WhatsApp messages, which was also end-to-end encrypted.

A concern about national security folks using these devices for the communications is that it makes it much more likely that their devices will get targeted by malware. And there's a lot of countries that have espionage capabilities that have the capability to target people's phones that would be very interested in knowing what Pete Hegseth is talking about, or what other high-level cabinet officials are talking about. So that makes for a very juicy intelligence target for foreign intelligence, and I think it's safe to assume that's something that many countries are now going to be going after."

https://www.techpolicy.press/about-that-signal-chat/

#USA #Trump #CyberSecurity #Signal #Encryption #CyberWarfare

"A Signal spokesman said the Pentagon memo is not about the messaging app's level of security, but rather that users of the service should be aware of what are known as "phishing attacks." That's when hackers try to gain access to sensitive information through impersonation or other deceptive tricks.

"Once we learned that Signal users were being targeted and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago," said Signal spokesman Jun Harada.

The March 18, 2025, Pentagon memo adds, "Please note: third party messaging apps (e.g. Signal) are permitted by policy for unclassified accountability/recall exercises but are NOT approved to process or store nonpublic unclassified information.""

https://www.npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability

#CyberSecurity #USA #Signal #Pentagon #Privacy

"The app’s security is viewed as fairly strong due to its robust privacy features and minimal data collection, as well as default end-to-end encryption of all messages and voice calls. The app also includes a function that deletes all messages from a conversation within a set time frame, adding an additional layer of data protection. But experts agree that it shouldn’t be used by government officials as an alternative to communicating through more secure, sanctioned government communications — which Signal is not.

“It’s so unbelievable,” a former White House official, granted anonymity to discuss The Atlantic’s report candidly, said Monday. “These guys all have traveling security details to set up secure comms for them, wherever they are.”

The former White House official pointed out that members of Trump’s Cabinet — including the vice president, Defense Secretary Pete Hegseth, and Director of National Intelligence Tulsi Gabbard, among others — were likely using personal devices, since in most cases, Signal cannot be downloaded onto official federal devices. This alone creates a host of cybersecurity issues."

https://www.politico.com/news/2025/03/25/signal-cybersecurity-trump-war-planning-00246881

#USA #Trump #CyberSecurity #Signal #Privacy

"More and more hackers are targeting regular people with the goal of breaking into their bank accounts, stealing their crypto, or simply stalking them. These types of attacks are still relatively rare, so there’s no need for alarm. But it’s important to know what you can do to protect yourself if you suspect someone accessed your email, social media account, chat apps, or any other major service and platform.

A few years ago, I wrote a guide to help people protect themselves, and understand that most of the companies you have an account with already offer you tools to take control of your accounts’ security, even before you contact them for help, which in some cases you still should do.

Here we break down what you can do on several different online services, including Gmail (and more broadly a Google account), Facebook, Apple ID, and more. And come back often because this is a regularly updated resource, both in terms of making sure the instructions for each individual service or platform are up to date, as well as to add new ones.

Just like in the previous guide, there’s an important caveat. You should know that these methods don’t guarantee that you haven’t been compromised."

#CyberSecurity #Privacy #Hacking #Gmail #Facebook #Apple

https://techcrunch.com/2025/03/25/how-to-tell-if-your-online-accounts-have-been-hacked/

"Whittaker acknowledges that WhatsApp licenses Signal’s end-to-end encryption technology. Nevertheless, a lot of personal and intimate information isn’t protected. According to Signal’s president, this involves users’ location data, contact lists, when they send someone a message, when they stop, what users are in their group chats, their profile picture, and much more.

“These differences may be marketing gloss to Meta, but to us, they’re fundamental life or death issues that the public deserves to understand so they can make an informed choice,” Whittaker concludes.

On Sunday, WhatsApp sent a message to Dutch users stating that the company can’t read their messages, including text and voice messages, photos, videos, and calls.

“They are protected by end-to-end encryption because we are always committed to protecting your privacy,” the note reads."

https://cybernews.com/news/whatsapp-signal-executives-battle/

#Cybersecurity #Privacy #Encryption #Signal #WhatsApp

Q-Day — the day someone builds a quantum computer that can crack the most widely used forms of encryption — could happen in the next decade according to cybersecurity experts. That means everything could become vulnerable, for everyone. @WIRED has the story. #Cybersecurity #QDay #Tech #Technology #DataPrivacy https://flip.it/stmSHG

"Shortly after senior Trump administration officials discussed and celebrated the bombing of Yemen in an encrypted group chat that, unbeknownst to them, included the editor-in-chief of the Atlantic, a subset of the group feasted at an opulent, secret dinner featuring the president where guests were asked to pay $1 million apiece to snag a seat.

The date was Saturday, March 15. President Donald Trump was at his Mar-a-Lago estate attending a “candlelight” dinner that wasn’t on his public calendar. On the lawn outside, luxury cars were on display: a Rolls Royce was parked near a Bugatti and Lamborghini. Guests milled about, taking photographs of each other and the vehicles. Earlier that day, the United States had bombed Yemen, targeting Houthi leadership. At least 53 people, including children, were killed.

Trump flew to the event on Air Force One with Elon Musk and Musk’s four year old son X, according to photos and videos viewed by WIRED. Throughout the weekend, Musk was in close contact with Trump and at least one member of the president’s brain trust who was participating in a Signal group chat where highly sensitive details of the planned operation were being shared. Experts say the conversation appears to have violated government protocols on information sharing."

https://www.wired.com/story/trump-officials-signal-chat-candlelight-dinner-mar-a-lago-yemen/

#USA #Trump #Musk #Leaks #PressFreedom #Signal #CyberSecurity #Privacy

If you also use BlueSky I have provided you a Short Stack there:

https://tisiphone.net/2025/03/25/bluesky-infosec-news-list/

It is mostly a duplicate of the Short Stack here:

https://tisiphone.net/2025/03/18/updated-infosec-mastodon-lists/

These are intel-ish news feeds mostly consisting of people who post a lot of relevant articles, commentary, and punditry.

#cybersecurity #infosec

A Win for Encryption: France Rejects Backdoor Mandate

#CiberSeguretat #CyberSecurity #EFF

https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate via @eff@mastodon.social

23andMe’s bankruptcy means that the company will be put up for sale, and there’s no way of knowing who is going to buy it, why they will be interested, and what will become of its millions of customers’ DNA sequences. Read more at @404media. #23andMe #DataPrivacy #CyberSecurity #Tech #Technology https://flip.it/pFwYFl

"In a moment of clarity after initially moving forward a deeply flawed piece of legislation, the French National Assembly has done the right thing: it rejected a dangerous proposal that would have gutted end-to-end encryption in the name of fighting drug trafficking. Despite heavy pressure from the Interior Ministry, lawmakers voted Thursday night (article in French) to strike down a provision that would have forced messaging platforms like Signal and WhatsApp to allow hidden access to private conversations.

The vote is a victory for digital rights, for privacy and security, and for common sense.

The proposed law was a surveillance wishlist disguised as anti-drug legislation."

https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate

#EU #France #CyberSecurity #Encryption #Backdoors #Privacy

"A consumer-grade spyware operation called SpyX was hit by a data breach last year, TechCrunch has learned. The breach reveals that SpyX and two other related mobile apps had records on almost two million people at the time of the breach, including thousands of Apple users.

The data breach dates back to June 2024 but has not been previously reported, and there is no indication that SpyX’s operators ever notified its customers or those targeted by the spyware.

The SpyX family of mobile spyware is now, by our count, the 25th mobile surveillance operation since 2017 known to have experienced a data breach, or otherwise spilled or exposed their victims’ or users’ data, showing that the consumer-grade spyware industry continues to proliferate and put people’s private data at risk.

The breach also provides a rare look at how stalkerware like SpyX can also target Apple customers.

Troy Hunt, who runs data breach notification site Have I Been Pwned, received a copy of the breached data in the form of two text files, which contained 1.97 million unique account records with associated email addresses."

https://techcrunch.com/2025/03/19/data-breach-at-stalkerware-spyx-affects-close-to-2-million-including-thousands-of-apple-users/

#CyberSecurity #Spyware #SpyX #Apple #Stalkerware #Surveillance