Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
Google’s Scam Detection feature, which works on Pixel Watch 2 and 3 devices connected to a Pixel 9 and newer phone, will notify you if it thinks you’re talking to a scammer on a call, according to a support post.
Google Play services are also getting updates, including the ability to add a nickname to Wallet passes. And an Android security update addressed two issues that “may be under limited, targeted exploitation.”
Apple has won its first legal battle over the UK’s demand for a backdoor to encrypted data: the right to tell everyone it’s happening. The Investigatory Powers Tribunal has ruled on whether Apple’s claim should be kept secret on national security grounds, and Apple won.
That doesn’t bring it any closer to restoring ADP encryption in the UK, nor does it mean hearings will be public, but this open secret is a little more open.
[investigatorypowerstribunal.org.uk]
After years of providing breach notifications and useful advice about how to avoid getting hacked, Have I Been Pwned operator Troy Hunt’s personal blog mailing list has become the source of a breach after he fell for a fake spam alert phishing attack this week. He has notified subscribers, and is following up for people who unsubscribed but still had data stored by his provider, Mailchimp.
Read the blog post for details on how they got him (listen to your password manager), how it could’ve been avoided (passkeys!), and what else there is to learn.
The device helps you access your Google account without a password by connecting to your PC through a USB port or wirelessly with NFC. It’s now available for purchase in 11 more countries, including Ireland, Portugal, The Netherlands, Australia, New Zealand, Singapore, Puerto Rico, and others.
[security.googleblog.com]
CIA director John Ratcliffe, Director of National Intelligence Tulsi Gabbard, FBI Director Kash Patel, and others are testifying today before the House Intelligence Committee. Unsurprisingly, a good amount of the hearing is centered around Signalgate, with most questions coming from Democrats. Watch a recording below.
A day after The Atlantic EIC Jeffrey Goldberg revealed he’d been inadvertently included in a group message on Signal where Trump admin officials discussed details of an upcoming military strike, CBS News reports on an NSA warning from February that the app isn’t approved for “nonpublic unclassified” information. Despite testimony today that no classified material was shared, the NSA noted the danger posed by Russian phishing campaigns attempting to add a linked device and bypass Signal’s encryption for surveillance.
Later on Tuesday evening, Democratic Leader Hakeem Jeffries shared a letter he’d sent to the president saying Secretary of Defense Pete Hegseth “should be fired immediately” over the breach, and watchdog organization American Oversight said it’s filed a lawsuit against several of the officials in the chat.
The Citizen Lab just published its investigation into Paragon Solutions, an “ethical” cyber defense company recently linked to a spyware campaign targeting journalists on WhatsApp. Along with the Canadian Ontario Provincial Police, researchers found that governments in Australia, Cyprus, Denmark, Israel, and Singapore may also be potential Paragon customers.
That’s how much Google’s parent company will pay if its $32 billion acquisition of the cloud security startup falls apart, sources tell the Financial Times. The deal reportedly wouldn’t have proceeded without such a high termination fee, which the FT calls “among the largest of all time.”
Security Checkup, an all-in-one security dashboard similar to Google’s identically named tool, allows TikTok users to manage their devices, two-step verification, passkey, security activity, and account recovery options all from a single screen. The new hub can be accessed by selecting “Settings and privacy” within your TikTok profile and tapping “Security & permissions.”
In a lawsuit filed this week, NY Attorney General Letitia James accused Allstate’s subsidiary, National General, of storing customers’ driver’s license numbers in plain text, leading to a 2020 breach that exposed the information of more than 12,000 people.
Following this incident, James alleges National General “continued to leave driver’s license numbers exposed” on a separate website, which allowed hackers to get ahold of the personal information of more than 187,000 customers the following year. She also claims National General failed to properly notify affected customers.
An anonymous Vancouver school guidance counselor told Associated Press that the Gaggle monitoring software “is good for catching suicide and self-harm” risks, but students then look for workarounds once they’re caught. An AP investigation found that many students’ Gaggle incident documents shared by the district weren’t protected and could be read by anyone with a link.
One of the malicious apps masqueraded as a file manager and had more than 10 downloads, according to the cybersecurity firm Lookout. The app contained Android spyware called KoSpy, which Lookout attributes to the North Korean hacking group APT37. It’s capable of collecting a device’s SMS messages, call logs, location, files, and more.
Lookout says the apps it found have since been removed from the Google Play Store.
Android Authority spotted a new beta feature to delete all your passwords, passkeys, and other data from the tool in one go, rather than removing them individually.
In October Google made it easier to use third-party password managers in Chrome on Android, and this change should help users move from Google’s option to another without leaving a load of data behind.
[androidauthority.com]
A new batch of Apple security updates today that includes iOS 18.3.2 and macOS 15.3.2 might re-enable Apple Intelligence (again), but it also supplements an issue first addressed in iOS 17.2, where “Maliciously crafted web content may be able to break out of Web Content sandbox,” according to an Apple update note spotted by 9to5Mac.
Plankey isn’t new to the Trump administration, as he previously served as the principal deputy assistant secretary at the Department of Energy from 2019 to 2020. He also worked as the director for cyber policy with the National Security Council before that.
[cyberscoop.com]
While Elon Musk claimed the “massive cyberattack” impacting X’s service had originated from Ukrainian IP addresses, security researchers note that this isn’t conclusive as attackers often obfuscate their true locations via compromised devices, proxy networks, and VPNs.
Analysts told Wired that there’s also evidence that some of X’s servers were publicly visible before being secured behind the company’s Cloudflare DDoS protection, which may have exposed the platform to direct attacks.
The platform has been going down intermittently since around 5:40AM ET on Monday, with no official ETA for when the outages will be resolved, and no details provided about what’s causing the issues. Musk made similar claims about cyberattacks impacting X’s services last year when Spaces crashed out during a scheduled conversation with Donald Trump, though X staffers at the time told The Verge that an attack hadn’t occurred.
