Feedback & Followups
- π¨π¦ More voices against Canada’s proposed End-to-End-Encryption ban:
- Apple Google Push Judicial Oversight Canada Online Safety Bill β www.reuters.com/β¦
- Citizen Lab urges Canada to withdraw parts of Bill C-22 over privacy concerns β cyberinsider.com/β¦ (world-leading privacy lab that has found multiple state-level spyware apps over the years)
- πΊπΈ More misguided age verification goes live: Age verification now mandatory for App Store users in Texas β appleinsider.com/β¦
- The law itself is still being challenged in the courts, so this could, perhaps, be temporary
- πΊπΈ Continued Apple Account Rollout: iPhone users can now store their Arkansas driverβs license in Apple Wallet β www.cultofmac.com/β¦
β Action Alerts
- May Android Update: Google fixes one actively exploited Android zero-day, 124 flaws β www.bleepingcomputer.com/β¦ (patch if you can, or get a new phone!)
- Related: WhatsApp, Slack Notifications Could Hijack Google Gemini on Android β thehackernews.com/β¦ (patched too)
- β οΈ Related β Office365 Users on Android: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag β thehackernews.com/β¦ (also patched)
- New CIFSwitch Linux flaw gives root on multiple distributions β www.bleepingcomputer.com/β¦ (another Local Privilege Escalation bug, but only on some distros, and there are patches this time!)
- β οΈ Acer Router Owners: Acer working to patch max severity zero-days in Wave 7 routers β www.bleepingcomputer.com/β¦
- No patch yet, so be sure to verify that your router’s management interface is not exposed to the internet!
Worthy Warnings
- FBI warns of fake FIFA websites running World Cup fraud schemes β www.bleepingcomputer.com/β¦
- A timely reminder to be careful installing IDE plugins: GitHub confirms breach of 3,800 repos via malicious VSCode extension β www.bleepingcomputer.com/β¦
- All of GitHub’s internal code repos were leaked because a developer working for Microsoft installed a plugin from the Microsoft VS Code Marketplace that was malicious!
- Hopefully this finally drives home the message that Microsoft need to get much more hands-on with regulating the VS Code marketplace!
- Note that no customer repos were accessed, just the repos the GitHub developer who installed the plugin had access to.
- β οΈ Related β VS Code users on Windows: VS Code zero-day lets hackers steal GitHub tokens in one click β www.bleepingcomputer.com/β¦ (no patch yet, but there is a work-around)
- β οΈ Signal Users: Signal users targeted by attackers seeking backup recovery keys β cyberinsider.com/β¦ (phishing via Signal messages pretending to be Signal Support)
- β οΈ πΊπΈ Verizon Customers: Verizon VoLTE network found missing IPsec protections for SIP signaling β cyberinsider.com/β¦
- The company has decided that since the encryption is only recommended by the standard, not required, they’re not going to bother with it π
- The only option for customers seems to be to assume nothing said over their cellphone is actually private π
- β οΈ πͺπΊ People travelling to Europe: Over 100 Dutch hotels hit by breach exposing guest reservation data β cyberinsider.com/β¦
- The Dutch hotels were the ones to notice and go public, but the problem is much bigger, confirmed to also affect hotels in Ireland and the UK, and perhaps more countries
- The hotels are not the sources of the breach, and an as-yet-unknown 3rd-party service provider appears to be the source
- Until someone figures out which of the many service providers hotels have to partner with that got breached, everyone with a European hotel booking should be extra suspicious of any emails claiming to be about a hotel reservation β victims are receiving extremely convincing phishing emails that contain correct booking details!
- β οΈ πΊπΈ DentaQuest Users: DentaQuest data breach exposed sensitive info of 2.6 million people β cyberinsider.com/β¦
- The company has not been forth-coming, but the full breach has been loaded into Have-I-Been-Pwnd (details)
- This breach is noteworthy because of how sensitive the data leaked is β including Physical addresses, Health insurance information, and government-issued IDs
- Users are vulnerable to extremely convincing targeted phishing campaigns
- β οΈ Microsoft OutLook Users Connecting via POP: Microsoft Outlook leaves email connections unencrypted despite SSL/TLS setting β cyberinsider.com/β¦
- The correct way to configure TLS for POP is to tick the encryption checkbox and specify the new secure port (995), rather than the old insecure port (110).
- It’s not uncommon for people to tick the box but not update the port, and most clients resolve this inconsistent config by silently switching to the new port and using encryption
- The Exchange App currently handles this inconsistent config by continuing to use the old port, and hence, to connect without encryption π€¦
- If you use Outlook to connect to a server using POP, check that you have it properly configured!
Notable News
- Researchers built AI worm that can adapt to infect diverse devices β cyberinsider.com/β¦
- This is a proof-of-concept to begin to understand what is possible
- Some nice cybersecurity improvements:
- Google Chrome adds session cookie theft protection for all users β www.bleepingcomputer.com/β¦
- Initially a Windows-only beta, now rolled out to all platforms
- Session cookies for websites supporting the new standard are digitally signed by on-device security chips (TPM or Secure Enclave) so that even if the session gets stolen by malware or phishing, it can’t be used on any other computer.
- Google adds Android protection against AI deepfake scam calls β www.bleepingcomputer.com/β¦
- Interesting idea β uses special RCS messages to ping the real person’s phone to check if they are on a call or not
- Only works if the call recipient and the person being spoofed are both on Android, and, if the person being spoofed is in the recipient’s address book
- Could evolve into an interesting cross-platform standard, so interesting Proof-of-concept
- Mullvad VPN on Android passes Google-backed MASA security audit β cyberinsider.com/β¦
- Proton Drive adopts OpenPGP encryption, delivers 300% faster uploads β cyberinsider.com/β¦ (upgrade of already end-to-end-encrypted service)
Just Because it’s Cool π
- Quantum breakthrough produces perfect randomness for secure communications β cyberinsider.com/β¦
- “ETH Zurich researchers have demonstrated what they describe as the worldβs first generation of certifiably perfect random numbers using a quantum experiment based on entangled superconducting qubits. The breakthrough could strengthen future encryption systems, digital identity protections, and quantum-secure communications by eliminating subtle biases found in conventional random number generators.”
- Related: How Apple turned to math to defend against next-gen attacks on encryption β appleinsider.com/β¦ (Proven correct post-quantum algorithm implementation in Core Crypto API available to all apps on Apple’s platforms)
- The Apple Security blog post: A blueprint for formal verification of Apple corecrypto β security.apple.com/β¦
Palate Cleansers
- From Allison: π¦ a concise, clear, fun explanation of the differences between CPUs, GPU & TPUs (AKA NPUs) β www.tiktok.com/β¦
- From Bart:
- For any terminal geeks stuck on Windows: Microsoft’s Coreutils project brings Linux commands to Windows β www.bleepingcomputer.com/β¦ (port of GNU Core Utils to Windows in Rust)
- π¦ the surprisingly complex and fascinating history of Lorem Ipsum β youtube.com/β¦
- From Bart’s better half:
- This battery doesn’t need Lithium, and it just hit mass production β youtube.com/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |