Security Bits — 11 May 2025

Feedback & Followups

• A great example of why it’s important to patch – this is one of the things the Apple updates we called out last time patched: Apple ‘AirBorne’ flaws can lead to zero-click AirPlay RCE attacks — www.bleepingcomputer.com/… (RCE is Remote Code Execution)
• Yet another call to bin those old unpatchable routers ASAP: FBI: End-of-life routers hacked for cybercrime proxy networks — www.bleepingcomputer.com/…
• 🇺🇸 While Apple dropped their similar case to avoid having to reveal internal data during discovery, Meta continued theirs, and won: NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users — www.bleepingcomputer.com/…
  • Related: Apple has sent out its latest round of notifications to users who they have evidence were targeted by Pegasus-style advanced spyware — appleinsider.com/… (Recipients reported to be in 100 countries around the world)
  • Related: Google’s 2024 threat intelligence report suggests this problem is getting worse, not better: Google: 97 zero-days exploited in 2024, over 50% in spyware attacks — www.bleepingcomputer.com/…
• 🇺🇸 There has been a small but significant development in the Trump Administration’s misuse of Signal for privileged military communications, AKA SignalGate, and it provides a teachable moment — www.404media.co/…, www.bleepingcomputer.com/… & www.wired.com/…
  • Thanks to the power of modern telephoto lenses, and the fact that the then National Security Advisor Mike Waltz was sneakily checking his phone in a cabinet meeting, we now know the problematic Signal chats happened using an uncertified third-party client named TeleMessage that offers centralised cloud-hosted message archiving as a feature.
  • Shortly after, security researchers tested the app’s security and found it very wanting, accessing many supposedly secret US government chat transcripts.
  • The app promptly suspended its services
  • This illustrates the boundaries of End-to-End Encryption — it secures messages all the way from one end of a conversation to the other, without being decryptable by any servers en route, even if messages get cached or stored there for hours, weeks, months, or years. But, before a message is sent, and after it is received, it can be accessed by software running on the sending and receiving devices, most especially including the actual messaging clients doing the sending and receiving! This is no more of a shortcoming than the fact that seatbelts don’t prevent gas tank explosions — that’s not the problem they are designed to solve!

Deep Dive(s)

❗ Action Alerts

• The May Android security update is out, and it fixes an actively exploited Zero-day: Google fixes actively exploited FreeType flaw on Android — www.bleepingcomputer.com/… (Patch if you can, or seriously consider a securable alternative!)

Worthy Warnings

• Student & Professional NosillaCastaways take note: Education giant Pearson hit by cyberattack exposing customer data — www.bleepingcomputer.com/…
  • Many educational and professional certifications and accreditations are examined by Pearson, including my Microsoft cybersecurity certifications 🙁
  • The company are referring to the stolen customer data as Legacy, but I’m not sure that’s very meaningful, how much of your PII has changed in the last 5 or even 10 years?
  • The company’s response is worrying at best:
    > “[W]hen BleepingComputer asked Pearson about whether they paid a ransom, what they meant by “legacy data,” how many customers were impacted, and if customers would be notified, the company responded that they would not be commenting on these questions.” — the Bleeping Computer Article
• 🇬🇧 UK NosillaCastaways take note: Co-op confirms data theft after DragonForce ransomware claims attack — www.bleepingcomputer.com/…
  • Includes ‘personal details’ but not passwords or payment details for ‘a significant number’ of ‘current and past members’
  • Not clear if notifications will be sent
  • Worrying that the company initially tried to deny this breach had even happened 😕

Notable News

• WhatsApp unveils ‘Private Processing’ for cloud-based AI features — www.bleepingcomputer.com/…
  • An example of the best kind of copying by Meta — at a software level, this appears equivalent to Apple’s Private Cloud Compute feature (appears not to be quite as impressive down at the hardware layer though)
  • Meta even copied Apple’s approach of providing a mechanism for independent auditing by cybersecurity specialists!
• Another example of how AI helps the good side of cybersecurity too: Google Chrome to use on-device AI to detect tech support scams — www.bleepingcomputer.com/…
• 🇺🇸 Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection — thehackernews.com/…
• 🇪🇺 TikTok fined €530 million for sending European user data to China — www.bleepingcomputer.com/…
• The Fido Alliance are rebranding World Password Day (May 1) to World Passkey Day, and one of their biggest members, Microsoft, really got into the spirit of things: Microsoft makes all new accounts passwordless by default — www.bleepingcomputer.com/…
  • Related: Microsoft has deprecated the password management features they had briefly added to their Passkeys/MFA Authenticator app, Microsoft Authenticator — www.bleepingcomputer.com/… (Burdening Authenticator with legacy features is not useful IMO, let passwords slowly die in the browser 🙂)

Top Tips

• NosillaCastaways Managing Small Businesses take Note: UK shares security tips after major retail cyberattacks — www.bleepingcomputer.com/…

Excellent Explainers

• Another smart person’s take on PassKeys: Passkeys for Normal People — www.troyhunt.com/…
• 🎧 A nice re-telling of the incredible SSH hack that very nearly caused a digital Armageddon last year (we covered it extensively in this series): kill switch: the biggest hack that never happened- the xz utils story — overcast.fm/…

Palate Cleansers

• From Bart:
  • 🎧 This recent episode of the wonderful weekly short podcast The Economics of Everyday Things is very much in keeping with the NosillaCast’s evangelism for accessibility: The Economics of Everyday Things: 90. Closed Captions — overcast.fm/…
  • 🎧 This recent episode of the excellent 99% Invisible podcast tells the fascinating story of how my beloved emoji are interacting with the legal system: 99% Invisible: 😅⚖️ — overcast.fm/…
• From Allison:
  • David Spark of the CISO Series Podcast played three fun games on DTNS Live — one was to guess whether a name on a slide was a security company or a Star Wars character — it starts at ~37 min. 🎦 DTNS Live 5011: AI Me Anything! — www.youtube.com/…
  • Researchers unveil LegoGPT, an AI model that designs physically stable Lego structures from text prompts and currently supports eight standard brick types: avalovelace1.github.io/…
  • Somehow, a few episodes of the NosillaCast are on iMDB: www.imdb.com/…

Legend

When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.