Thursday, June 1, 2023

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.

Netflix’s Password-Sharing Crackdown Has Hit the US

TikTok user data is exposed to Chinese ByteDance employees, a screen recording app goes rogue in Google Play, and privacy groups want Slack to expand encryption.

Bcrypt, a Popular Password Hashing Algorithm, Starts Its Long Goodbye

The co-inventor of “bcrypt” is reflecting on the ubiquitous function’s 25 years and channeling cybersecurity’s core themes into electronic dance music.

The Security Hole at the Heart of ChatGPT and Bing

Indirect prompt-injection attacks can leave people vulnerable to scams and data theft when they use the AI chatbots.

China Hacks US Critical Networks in Guam, Raising Cyberwar Fears

Researchers say the state-sponsored espionage operation may also lay the groundwork for disruptive cyberattacks.

Chinese Labs Are Selling Fentanyl Ingredients for Millions in Crypto

And it's happening in plain sight.

There’s Finally a Way to Improve Cloud Container Registry Security

“Container registries” are ubiquitous software clearinghouses, but they've been exposed for years. Chainguard says it now has a solution.

Leaked Government Document Shows Spain Wants to Ban End-to-End Encryption

In response to an EU proposal to scan private messages for illegal material, the country's officials said it is “imperative that we have access to the data.”

Meta’s $1.3 Billion Fine Is a Strike Against Surveillance Capitalism

The record-breaking GDPR penalty for data transfers to the US could upend Meta's business and spur regulators to finalize a new data-sharing agreement.

The Real Risks in Google’s New .Zip and .Mov Domains

While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose.

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

The Underground History of Turla, Russia's Most Ingenious Hacker Group

From USB worms to satellite-based hacking, Russia’s FSB hackers, known as Turla, have spent 25 years distinguishing themselves as “adversary number one.”

How You, or Anyone, Can Dodge Montana’s TikTok Ban

Montana’s TikTok ban will be impossible to enforce. But it could encourage copycat crackdowns against the social media app.

A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks

Kaspersky researchers have uncovered clues that further illuminate the hackers’ activities, which appear to have begun far earlier than originally believed.

Google May Delete Your Old Accounts. Here’s How to Stop It

Your inactive profiles, like Gmail or Docs, could turn into digital dust later this year. A few clicks can save them.
The Register

Dark Pink cyber-spies add info stealers to their arsenal, notch up more victims

Not to be confused with K-Pop sensation BLACKPINK, gang pops military, govt and education orgs Dark Pink, a suspected nation-state-sponsored cyber-espionage group, has expanded its list of targeted organizations, both geographically and by sector, and has carried out at...
The Register

Feds, you’ll need a warrant for that cellphone border search

Here's a story with a twist A federal district judge has ruled that authorities must obtain a warrant to search an American citizen's cellphone at the border, barring exigent circumstances.…
Graham Cluley

Smashing Security podcast #324: .ZIP domains, AI lies, and did social media inflame a riot?

height="315" class="aligncenter size-full wp-image-292324" /> ChatGPT hallucinations cause turbulence in court, a riot in Wales may have been ignited on social media, and do you think .MOV is a good top-level domain for "a website that moves you"? All this and...

Researchers tell owners to “assume compromise” of unpatched Zyxel firewalls

Enlarge (credit: Getty Images) Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity...

AI-expanded album cover artworks go viral thanks to Photoshop’s Generative Fill

Enlarge / An AI-expanded version of a famous album cover involving four lads and a certain road created using Adobe Generative Fill. (credit: Capitol Records / Adobe / Dobrokotov) Over...