Feedback & Followups
- ๐บ๐ธ US Court Blocks Spyware Vendor NSO Group from Targeting WhatsApp Users โ cyberinsider.com/โฆ (Maybe their recent change to US ownership will give this injunction more teeth!)
- Update on the Tea app which suffered such catastrophic data breaches recently: Apple confirms removal of controversial dating apps after safety breaches โ www.macobserver.com/โฆ (the male-focused clone TeaOnHer also removed, but both still on Google Play Store ๐)
โ Action Alerts
- Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws โ www.bleepingcomputer.com/โฆ
- A reminder that this is the last set of patches for Windows 10 users not on an Extended Security Updates (ESU) plan โ www.bleepingcomputer.com/โฆ
- It’s not just Windows 10: Microsoft: Office 2016 and Office 2019 have reached end of support โ www.bleepingcomputer.com/โฆ
- Technical debt strikes again: Microsoft restricts IE mode access in Edge after zero-day attacks โ www.bleepingcomputer.com/โฆ
- Microsoft disables File Explorer preview for downloads to block attacks โ www.bleepingcomputer.com/โฆ
- โ ๏ธ Framework Laptop Owners: Secure Boot bypass risk threatens nearly 200,000 Linux Framework laptops โ www.bleepingcomputer.com/โฆ (patch available, so apply!)
Worthy Warnings
- A Timely Reminder that Malicious Ads are Still a Problem: Google ads for fake Homebrew, LogMeIn sites push infostealers โ www.bleepingcomputer.com/โฆ
-
Reminder โ Agentic AI Browsers and ad-ins are too New to be Safe: (AI taking actions, not answering questions)
- Related: Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities โ www.bleepingcomputer.com/โฆ
- > Cursor and Windsurf are AI-powered code editors forked from Visual Studio Code. They integrate large-language models (LLMs) to help developers write software more easily and quickly.
- Cybercriminals have developed a new and deviously strategy: fake company’s legitimate legacy features, i.e. tricking living users into thinking they have been reported as dead and must act immediately or their legacy contacts will be given access to their account:
- Fake LastPass death claims used to breach password vaults โ www.bleepingcomputer.com/โฆ
- Expect this tactic to be used against other services that have similar features (Meta & Apple are likely future targets since they have mature legacy features)
- A new ‘ClickFix’ variation: TikTok Videos Promoting Malware Installation – SANS ISC โ isc.sans.edu/โฆ
-
โ ๏ธ Signal Users: Signal Users Targeted by Fake Support Messages for Account Hijacks โ cyberinsider.com/โฆ
-
โ ๏ธ iPhone Users: Apple have changed how iPhones treat unknown USB devices in iOS 26, the new setting is less secure than the old, but may be a better trade-off for most people โ www.cultofmac.com/โฆ (Editorial by Bart: the headline is clickbait and out of tune with the article itself)
- Previous Default Behaviour: always ask for confirmation before making a data connection to any unknown device (still available as Settings โ Privacy & Security โ Wired Accessories โ Ask for New Accessories)
- New Default Behaviour: only ask for confirmation if the phone is locked when the connection is made.
- So-called ‘Juice Jacking’ attacks have been theoretically possible for years, but rather surprisingly, have not (yet at least) been deployed widely in the real world, so (today at least), the actual risk for regular users is low, which might explain the change.
- โ ๏ธ ๐บ๐ธ Apple Users: Is โApplestore[@]usa[.]comโ Legit? No โ hereโs what to do โ www.macobserver.com/โฆ
-
๐บ๐ธ Prosper Data Breach Exposed 17.6 Million Peopleโs Information โ cyberinsider.com/โฆ
- A major US peer-to-peer lending platform
- No mention of affected users being notified, but the data has been loaded into Have-I-Been-Pwned, and the list of breached fields is extremely worrying ๐
Notable News
- Have-I-Been-Pwned has loaded one of the biggest dumps of stolen credentials circulating on the dark web to their breach notification service โ www.troyhunt.com/โฆ
- This catalogue of stolen credentials was harvested from cybercriminals by security researchers; it is not a traditional breach
- These credentials were stolen using key loggers and other data-stealing malware, so they’re taken from users, not from websites
- Google Quietly Dismantles Core of Privacy Sandbox for Chrome โ cyberinsider.com/โฆ
- Might be a blessing in disguise โ rather than rolling their own Chrome-only solutions, they are switching to working within the W3C to develop new privacy-protecting standards to replace third-party cookies
- ๐บ๐ธ EFF Sues US Government Over AI-Powered Social Media Surveillance โ cyberinsider.com/โฆ
-
๐บ๐ธ California becomes the next US state to impose age verification on App Stores โ appleinsider.com/โฆ (Headline does not match actual article content)
- No ID requirements, so not a privacy problem
- Effectively forces App Store operators to give parents the tools they need to manage their kids devices
- Forces App Stores to make specific age brackets available to developers
- Apple already has an API for this (added with ๐OS 26), but the age ranges don’t align, so Apple will need to add some new API calls to comply, but won’t need to make Major changes โ www.macobserver.com/โฆ
- Google may have a little more work to do, but shouldn’t be a big deal.
- ๐ช๐บ ๐ฆ๐น Austrian DPA Finds Microsoft 365 Illegally Tracked Students โ cyberinsider.com/โฆ
- Microsoft US was found to be exerting too much influence over Microsoft Ireland, so the case found against the US parent company, not the European subsidiary.
-
The DSB confirmed that Microsoft 365 Education set several non-essential tracking cookies without user consent. These cookies were found to be unnecessary for technical operation and thus required prior consent, which was not obtained. As a result, Microsoft, the Ministry, and the school must now check whether these cookies are still in use and delete any associated data within ten weeks
- ๐ฎ๐ช Hackers earn $1,024,750 for 73 zero-days at Pwn2Own Ireland โ www.bleepingcomputer.com/โฆ
-
After the zero-days are exploited at Pwn2Own, the vendors have 90 days to release patches before Trend Micro’s Zero Day Initiative publicly discloses them.
- Expect a whole bunch of patches for major products from Apple, Google, Samsung, Meta, QNAP, and more soon
-
-
Firefox Add-ons Must Declare Data Collection Starting November 3 โ cyberinsider.com/โฆ (Editorial by Bart: good to see these older app stores back-port the kinds of features Apple have been adding to theirs)
-
Meta Rolls Out New Anti-Scam Features on WhatsApp and Messenger โ cyberinsider.com/โฆ (the intelligent screen-share blocking looks particularly useful for disrupting scams)
-
Mullvad VPNโs Web App Passes Security Audit With Almost Perfect Score โ cyberinsider.com/โฆ
Interesting Insights
- ๐ง Turns out this story is much more nuanced that it first appears: kill switch: maybe ICEBlock was โactivism theater,โ but is banning it protecting us? โ overcast.fm/โฆ
- From Allison: The best episode of This Week in Tech I’ve ever listened to. Leo had on Jacob Ward, Harper Reed, and Abrar Al-Heeti. The discussions on AI were enlightening and funny at the same time. “Nine Days a Week” for 19 October 2025
Palate Cleansers
- From Allister Jenks: Jessica Rooster: “HAL 9000: Iโm sorry Dave, Iโm afraid I canโt do tโฆ” – beige.party โ beige.party/โฆ (In the NosillaCast Slack at podfeet.com/slack)
- From NosillaCastaway Joop: ๐ฆ Node.js: The Documentary, An origin story โ www.youtube.com/โฆ
- From Maynooth University Prof David Malone: A fun timeline from the first password to passkeys โ ssg.dev/โฆ
- From Bart:
- A very useful free Mac app from Devon Technologies (of Devon Think fame): Neo Network Utility 2.0 โ www.devontechnologies.com/โฆ
- ๐ฆ A simply amazing conversation with the much missed Jane Goodall recorded a few months before her recent death: Jane Goodall Interview on ‘Famous Last Words’ โ Netflix Tudum (via web.archive.org/โฆ) (direct Netflix link)
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| ๐ง | A link to audio content, probably a podcast. |
| โ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| ๐ | A link to graphical content, probably a chart, graph, or diagram. |
| ๐งฏ | A story that has been over-hyped in the media, or, “no need to light your hair on fire” ๐ |
| ๐ต | A link to an article behind a paywall. |
| ๐ | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| ๐ฉ | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| ๐ฆ | A link to video content. |