Feedback & Followups
- Notepad++ boosts update security with ‘double-lock’ mechanism — www.bleepingcomputer.com/… (Following the embarrassing compromise of their update infrastructure that required all users to do a manual upgrade late last year)
- 🇬🇧 A little movement on the UK’s ongoing attempts to break iCloud encryption for everyone: U.S. lawmakers request briefing on the UK’s iCloud encryption backdoor plans — appleinsider.com/…
- Some timely reminders:
- Attackers continue to target developers: Flaws in popular VSCode extensions expose developers to attacks — www.bleepingcomputer.com/…
- Browser Plugins continue to be used to target users: Proton warns of malicious Chrome extensions impersonating its VPN service — cyberinsider.com/…
Deep Dive 1 — 🧯 Password Manager Vulnerabilities
TL;DR — the issues identified are real, but they are not an immediate threat, and the password managers are responding by hardening their defences, so this is actually a good news story in disguise!
Security researchers at the Swiss university ETH Zurich have published the results of their research into whether or not the cloud infrastructure of three specific password managers (Bitwarden, LastPass & Dashlane) would protect user vaults if attackers were to completely compromise them.
They did discover some weaknesses, but none pose an immediate danger to users. The various attacks require a lot of luck for the attackers. If we use the Swiss cheese model of security, a lot of quite small holes in a lot of layers would need to line up for the attacks to succeed. Not impossible, but very unlikely.
In general, the companies are responding positively, embracing the findings and working to address them. The end result will be more secure password managers in the hands of millions of users.
Links
- The original research: Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers — eprint.iacr.org/…
- News Coverage:
- Opinion and analysis: 🎧 Security Now 1066: Password Leakage — twit.tv/…
Deep Dive 2 — New AirSnitch WiFi Vulnerability
TL;DR — even on captive portal networks, time to turn back on those VPNs 🙁
An exceptionally powerful feature enterprise-grade WiFi offers is client isolation. This means devices using a wifi network (clients) can talk to the internet, but not to anything else using the same wifi network (isolation). This stops things like malicious guests in a hotel or coffee shop from intercepting other guests’ connections or attacking their devices.
A simpler form of similar technologies has made its way into many home routers in the form of a separate guest network that is theoretically isolated from the homeowner’s own network.
These features are very powerful, but they’re not actually part of the official WiFi standard; they’re bonus extras developed by vendors to out-compete their rivals. This means each router does things a little differently, but all without the kind of rigour you get from a well-studied and deeply understood open standard.
The very talented computer scientists at the KU Leuven in Belgium (their work regularly makes enough new things to get mentioned in these segments) wondered how secure these features really were, since they’re all so bespoke.
Thankfully, they didn’t find a single gaping hole that just works, but they came much closer than we’d hope. Rather than a single attack, they developed a small suite of attacks, each of which worked across multiple products, and every implementation they tested was at least somewhat vulnerable to at least some of the attacks.
The impact varied from Adversary-in-the-Middle (AiTM) attacks to full plain-text password stealing on some poorly configured enterprise networks using single-sign-on (e.g., Active Directory username+password to access WiFi). If that attack had been without caveats, it would have been a really big deal, but thankfully, that one only works when the organisation uses weak RADIUS keys.
The last time we did a deep-dive on WiFi security, it was around the question of whether or not we still needed VPNs. Thanks to the power of client isolation, I didn’t bother anymore when using wifi I recognised as enterprise grade (no pre-shared key) because I knew it almost certainly had client isolation. Now, that safety net has proven to be leaky 🙁
It’s still true that just about every website is secured, and no WiFi-level attack can break into HTTPS; it does mean that clicking past a certificate warning could be all it takes for an attacker to get into your bank account when you’re on a public WiFi network. If you’re not certain everything you do is properly encrypted, or if you’d like to work with a bit of a safety net, it probably is worth investing in a trustworthy VPN after all 😕
More details — cyberinsider.com/…
❗ Action Alerts
- Google patches first Chrome zero-day exploited in attacks this year — www.bleepingcomputer.com/…
- Zyxel warns of critical RCE flaw affecting over a dozen routers — www.bleepingcomputer.com/…
Worthy Warnings
- Previously harmless Google API keys now expose Gemini AI data — www.bleepingcomputer.com/…
- E.g., a Google Maps API key on your website
- CarGurus data breach exposes information of 12.4 million accounts — www.bleepingcomputer.com/…
- Sensitive data, and the company is not being forthright, so no notifications to affected users from them 🙁
Notable News
- We may have passed peak-ransomeware: Ransomware payment rate drops to record low as attacks surge — www.bleepingcomputer.com/…
- Cybercriminals are motivated by money, so as payments dry up, attacks will need to reduce in cost, either by reducing in volume, or, more likely, in complexity, focusing more on the low-hanging fruit, allowing more diligent organisations to fall out of the cross-hairs more.
- This is a good example of why no-pay mandates/laws make so much sense — kill the revenue!
- 🇬🇧 UK plans age checks for VPN users to enforce social media limits — cyberinsider.com/…
- Editorial by Bart: This is getting insane, this won’t work, this will just drive kids to free and very dodgy VPNs — you can’t use technology as a substitute for parental oversight!
- Related: the iOS 26.4 beta contains test versions of new age-verification APIs for use by apps in some countries, including the UK — www.macobserver.com/…
- The two sides of AI on display again:
- Hacker used AI to breach 600 FortiGate appliances across 55 countries — cyberinsider.com/…
- “A financially motivated, Russian-speaking threat actor used commercial generative AI services to compromise more than 600 FortiGate devices across 55 countries. Rather than exploiting zero-day flaws, the campaign relied on exposed management interfaces and weak credentials, with AI acting as a force multiplier that enabled large-scale, parallel intrusions.”
- Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning — thehackernews.com/…
- 1Password’s first price increase in very many years is a good opportunity to reflect on decisions likely made a long time ago in a very different world:
- More regulators regulating:
- 🇺🇸 Texas sues TP-Link over Chinese hacking risks, user deception — www.bleepingcomputer.com/…
- 🇬🇧 UK fines Reddit $19.5 million over children’s data privacy failures — cyberinsider.com/…
- 🇺🇸 New York sues Valve for loot boxes violating state gambling laws — cyberinsider.com/…
- 🇺🇸 Samsung to update smart TV data practices following Texas lawsuit — cyberinsider.com/… (We reported on this case being filed a few weeks ago)
- Some nice product updates:
- Apple iPhone becomes first consumer product certified for handling classified NATO data — cyberinsider.com/… (actual military-grade security!)
Top Tips
Excellent Explainers
Interesting Insights
- 🎧 One of the most enlightening conversations about AI I’ve heard on a very long time: StarTalk Radio: The Origins of Artificial Intelligence with Geoffrey Hinton — overcast.fm/… (if the name is familiar it’s because he won a Nobel Prize for his work on the very foundations of modern AI, dating back decades!)
Palate Cleansers
- 🖼️ My pet-peeve about Sherlock Holmes hilariously ridiculed: xkcd.com/…
- Reductive reasoning is terrible, it means the less imaginative you are, the more certain you are you’re being ‘logical”! This kind of smart-sounding idiocy fuels our toxic conspiracy theory culture 🙁
- “If you’ve eliminated everything you think is possible, the weirdest thing you can think of must be true” 🤯
- 🎧 My favourite grammar podcaster (Mignon Fogarty) chats with my favourite typography geek (Glenn Fleishman) about my least-favourite internet habit: Grammar Girl: why do we SHOUT in ALL CAPS? — bsky.app/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |