Invisible text that AI chatbots understand and humans can’t? Yep, it’s a thing. - Ars Technica
A quirk in the Unicode standard harbors an ideal steganographic code channel.
Neo-Nazis head to encrypted SimpleX Chat app, bail on Telegram
App swears there’s no way for law enforcement to track users’ identities.
CTV industry’s unprecedented “surveillance”
48-page report citing Ars Technica urges FTC, FCC investigate connected TV data harvesting. Gen AI, potentially racially discrimniatory practices head concerns.
NIST proposes barring some of the most nonsensical password rules
The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions.
Hacker plants false memories in ChatGPT to steal user data in perpetuity
Emails, documents, and other untrusted content can plant malicious memories.
Europe’s privacy watchdog probes Google over data used for AI training
Meta and X have already paused some AI training over same set of concerns.
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Sophisticated attack breaks security assurances of the most popular FIDO key. The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday. The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.
Windows 0-day was exploited by North Korea to install advanced rootkit
FudModule rootkit burrows deep into Windows, where it can bypass key security defenses.
Who are the two major hackers Russia just received in a prisoner swap?
Both men committed major financial crimes—and had powerful friends.
Secure Boot is completely broken on 200+ models from 5 big device makers | Ars Technica
Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
Ubiquitous RADIUS scheme uses homegrown authentication based on MD5. Yup, you heard right.
3 million iOS and macOS apps were exposed to potent supply-chain attacks
Apps that used code libraries hosted on CocoaPods were vulnerable for about 10 years.
Apple’s AI promise: “Your data is never stored or made accessible to Apple”
And publicly reviewable server code means experts can "verify this privacy promise."
Darknet markets generate millions in revenue selling stolen personal data
A handful of markets were responsible for trafficking most of the data.
LockBit ransomware suspect nabbed in Canada, faces charges in the US
Automation features make LockBit one of the more destructive pieces of ransomware. Federal prosecutors on Thursday charged a dual Russian and Canadian national for his alleged participation in a global campaign to spread ransomware known as LockBit. Mikhail Vasiliev, 33, of Bradford, Ontario, Canada, was taken into custody in late October by authorities in Ontario, officials at Interpol said. He is now in custody in Canada awaiting extradition to the US.
How Vice Society got away with a global ransomware spree | Ars Technica
Vice Society has a superpower that’s allowed it to quietly thrive: Mediocrity.
How 3 hours of inaction from Amazon cost cryptocurrency holders $235,000
For 2nd time in 4 years, Amazon loses control of its IP space in BGP hijacking.
Breach of software maker used to backdoor as many as 200,000 servers
Hack of FishPig distribution server used to install Rekoobe on customer systems.
Phishers who breached Twilio and targeted Cloudflare could easily get you, too
Unusually resourced threat actor has targeted multiple companies in recent days.
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us
Turns out they're not all that rare. We just don't know how to find them.
Google Play hides app permissions in favor of developer-written descriptions
Let's hope nobody lies about what permissions their app uses.
Ongoing phishing campaign can hack you even when you’re protected with MFA
Campaign that steals email has targeted at least 10,000 organizations since September.
A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys
Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.
Researchers devise iPhone malware that runs even when device is turned off
Research is largely theoretical but exposes an overlooked security issue.
Zyxel silently patches command-injection vulnerability with 9.8 severity rating
Flaw makes it possible to install web shell to maintain control of affected devices.
Researcher uses 379-year-old algorithm to crack crypto keys found in the wild
It takes only a second to crack the handful of weak keys. Are there more out there?
Russia’s Sandworm hackers attempted a third blackout in Ukraine
The attack was the first in five years to use Sandworm's Industroyer malware.
Explaining Spring4Shell: The Internet security disaster that wasn’t
Vulnerability in the Spring Java Framework is important, but it's no Log4Shell.
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
Not all MFA is created equal, as script kiddies and elite hackers have shown recently.
Behold, a password phishing site that can trick even savvy users
Just when you thought you'd seen every phishing trick out there, BitB comes along.