Feedback & Followups
- π¦πΊ Apple is testing an enhancement to its child protection features in Australia β when Apple’s existing opt-in nudity detection AI feature flags an image as potentially problematic, a new option appears to allow the child to report the image to Apple for review before passing it on to local law enforcement if appropriate β appleinsider.com/β¦
- π¨π¦ Canada joins the attack on TikTok, ordering their Canadian subsidiary to shut down on national security grounds β www.bleepingcomputer.com/β¦
β Action Alerts
- Remember, Apple’s point updates are not just about new features!: Apple Updates Everything β isc.sans.edu/β¦
- Google’s November Android patches: Google fixes two Android zero-days used in targeted attacks β www.bleepingcomputer.com/β¦ (Patch if you can π)
- Two of the most popular NAS vendors rush out critical security updates after their devices are exploited at the recent Pwn2Own competition in Dublin Ireland:
- D-Link wonβt fix critical flaw affecting 60,000 older NAS devices β www.bleepingcomputer.com/β¦ (If you own one of the affected DNS-320 variants, time to bin it and buy a new NAS.)
- Related: Windows 10 home users will be able to buy an extra year of security updates (branded ESU for Extended Security Updates) for $30 when Windows 10 goes out of support on October 14th, 2025 β www.bleepingcomputer.com/β¦
Worthy Warnings
- LastPass are warning of yet another way scammers are trying to trick their users into compromising all their passwords by putting fake customer support numbers in app store reviews (the one for Google Chrome extensions in this case) β www.bleepingcomputer.com/β¦
- There is a lesson here for all of us β not all the information on an app’s page in an app store is from the developer, reviews are user-generated content, so are absolutely not trustworthy! Check the context of any kind of contact information before believing it!
- Attackers have found a way to exploit DocuSign’s APIs to send very convincing fake invoice phishing emails β www.bleepingcomputer.com/β¦
- An example of the ever more popular Living off the Cloud technique of abusing trusted domains for illicit ends
- This was a big campaign, saw quite a few examples in the wild!
- π¬π§ Scammers target UK senior citizens with Winter Fuel Payment texts β www.bleepingcomputer.com/β¦
Notable News
- Cybercriminals are deploying new tactics you should be aware of: Android malware “FakeCall” now reroutes bank calls to attackers β www.bleepingcomputer.com/β¦ (those are outgoing calls initiated by the user!)
- Major Software-as-a-Service (SaaS) vendors continue to nudge the world towards universal Multi-Factor Authentication:
- Microsoft Entra “security defaults” to make MFA setup mandatory β www.bleepingcomputer.com/β¦ (most likely to positively impact small mom-and-pop businesses who use Office365 for a handful of users and don’t have a dedicated IT person)
- Google Cloud to make MFA mandatory by the end of 2025 β www.bleepingcomputer.com/β¦ (will make us all a little safer by making it more difficult for the baddies to hijack the admin accounts that manage the Google Platform as a Service (PaaS) infrastructure powering many of the apps and services we all use every day β this affects Google’s alternative to Amazon Web Services AKA AWS, and Microsoft Azure, both of which are already further down the same path)
- The dark and light sides of AI in the cybersecurity space:
- We knew this was coming, and it will only get better: ChatGPT-4o can be used for autonomous voice-based scams β www.bleepingcomputer.com/β¦
Researchers have shown that it’s possible to abuse OpenAI’s real-time voice API for ChatGPT-4o, an advanced LLM chatbot, to conduct financial scams with low to moderate success rates.
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine β thehackernews.com/β¦
“We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software” β the Google team
- Android users are confused and cranky as Google injects a tracking domain into all links shared from their popular Google app for Android β www.bleepingcomputer.com/β¦ (similar to how X/Twitter adds their
t.cotracking domain to all links on that platform) - π°π· South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertiser sβ thehackernews.com/β¦
Top Tips
- If the exposΓ© on the US location tracking industry linked last time left you concerned, Adam Engst has some practical advice for you: Protect Yourself Against Location Tracking Abuses β tidbits.com/β¦
Excellent Explainers
- Why free VPNs aren’t always safe to use β appleinsider.com/β¦ (or, as I would put it “follow the money” π)
- π§ An excellent explanation of the economics data breaches: Planet Money: So your data was stolen in a data breach β overcast.fm/β¦
Palate Cleansers
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |