IT Privacy and Security Weekly update.

“Crocodilus” is a new Android malware aimed at cryptocurrency wallet users, notably in Spain and Turkey but potentially worldwide. It impersonates legitimate apps and tricks users into disclosing seed phrases. By exploiting Android's accessibility services, it can monitor screens, simulate gestures, bypass two-factor authentication, and drain assets.ChatGPT's latest models can analyze images in detail to determine real-world locations—raising privacy concerns, especially around doxxing. OpenAI imposes safeguards, but they may not fully prevent misuse.“Shadow AI” refers to employees secretly using unauthorized AI tools at work to enhance speed and efficiency. Nearly half admit to it, suggesting organizations must provide better AI solutions rather than simply banning them.The EU has banned autonomous AI agents in official online meetings over privacy and transparency risks, echoing the broader AI Act's emphasis on mitigating high-risk AI scenarios.Serious NFC vulnerabilities allow attackers to exploit firmware in contactless readers with oversized data packets, enabling remote code execution that can crash terminals, steal information, and even force ATMs to dispense cash. Many older systems remain unpatched.Ransomware attackers significantly increase demands upon finding evidence of a victim's cyber-insurance—potentially more than five times higher—highlighting the need to secure insurance documents.U.S. border agents can search electronic devices without warrants. Refusing to unlock can lead to confiscation for citizens or denial of entry for non-citizens. Travelers are advised to minimize stored data, disable biometric locks, and power down devices before crossing borders.

EP 239. This week:Emerging Android malware “Crocodilus” is targeting crypto wallet users in Spain and Turkey with deceptive apps that hijack seed phrases and device access through sophisticated accessibility exploits.ChatGPT's new models are impressively accurate at identifying real-world locations from images, sparking both admiration for AI capabilities and concern over potential misuse.A new study reveals that 50% of employees secretly use unauthorized generative AI tools, highlighting the urgent need for smarter, sanctioned workplace solutions.The EU has banned AI agents in official virtual meetings, citing privacy and transparency concerns in line with its broader push for responsible AI use.Researchers have exposed critical NFC flaws that allow attackers to manipulate ATMs and payment terminals using only a smartphone, raising alarms about contactless payment security.Dutch research shows ransomware actors hike demands—up to 5.5x—when they discover cyber-insurance documents on victims' systems, underscoring the importance of discreet data handling.With U.S. border agents empowered to inspect devices without a warrant, travelers are advised to minimize data exposure and take proactive digital hygiene steps to safeguard personal information.Let's go discover this week's update.... just be careful where you step!Find the full transcript to this podcast here.

What personal information was compromised in the Hertz breach?The breach exposed customer names, birth dates, contact info, driver's licenses, payment cards, and some Social Security numbers. It stemmed from a cyberattack on Cleo, a third-party vendor previously targeted in a mass-hacking campaign.How is air travel changing, and what are the privacy implications?ICAO aims to replace boarding passes with digital travel credentials using facial recognition and mobile passport data. While data is reportedly deleted quickly, the expansion of biometric surveillance raises major privacy and security concerns.Why is the EU giving staff burner phones for U.S. trips?To mitigate potential U.S. surveillance risks, the EU is issuing burner phones to officials visiting for IMF/World Bank meetings—echoing similar precautions for China and Ukraine. It signals growing distrust in transatlantic cybersecurity.How are North Korean hackers using LinkedIn?Groups like Lazarus use fake recruiter profiles to trick targets into opening malware-laden job materials. These campaigns steal credentials and crypto, funding North Korea's sanctioned activities and highlighting the rise of social engineering threats.Why is Let's Encrypt shortening TLS certificate lifespans?Let's Encrypt now issues 6-day certificates, down from 90. Benefits include improved security and automation; drawbacks involve more frequent renewals, which could create dependency on issuing infrastructure.What is the "Smishing Triad" targeting now?This group has moved from fake delivery texts to targeting banks via iMessage and RCS phishing. They steal banking info to load stolen cards into mobile wallets, illustrating more advanced and lucrative phishing tactics.What's the significance of China acknowledging U.S. infrastructure hacks?China's tacit admission of involvement in Volt Typhoon cyberattacks marks a shift in tone. The U.S. sees these as strategic signals, intensifying concerns about critical infrastructure security amid geopolitical tension.What is Android's new auto-reboot security feature?Android phones will now reboot automatically after three days of inactivity. This clears memory, closes apps, and requires re-authentication—reducing the risk of unauthorized access.

This week, Hertz lost your driver's license, birthday, and maybe your Social Security number—but don't worry, it was their vendor's fault.Boarding passes and check-ins are going extinct, and your face is the new passport—because what could possibly go wrong with global biometric surveillance?The EU is now handing out burner phones for U.S. trips, because apparently D.C. is the new Beijing when it comes to digital paranoia.North Korea's job recruiters are on LinkedIn now—offering dream gigs and delivering malware instead of paychecks.Certbot now supports six-day certs because nothing says ‘secure' like constantly renewing your identity before your SSL gets a chance to age.The China-Based Smishing Triad has moved from fake shipping notices to bank fraud—because stealing your toll bill just wasn't profitable enough.China basically winked at the U.S. and said “yeah, that was us” after hacking critical infrastructure.Google wants your Android to restart itself after three days of neglect—finally, a reward for ignoring your phone.​Come on!  Let's go get changed!Find the full transcript to this podcast here.

1. Concerns About AGI DevelopmentDeepMind's 108-page report outlines four major risks of Artificial General Intelligence (AGI):Misuse: AGI used maliciously (e.g., creating viruses).Misalignment: AGI acting contrary to intended goals.Mistakes: Errors causing unintended harm, especially in high-stakes sectors like defense.Structural Risks: Long-term impacts on trust, power, and truth in society. While safety measures are urged, full control of AGI remains uncertain.2. Improving Machine Learning SecurityThe open-source community is adopting model signing (via Sigstore), applying digital signatures to AI models. This ensures the model's authenticity and integrity—helping prevent the use of tampered or untrusted code in AI systems.3. Risks from AI Coding AssistantsA newly identified threat—Rules File Backdoor—allows attackers to embed malicious instructions in configuration files used by AI coding assistants (like GitHub Copilot or Cursor). This can lead to AI-generated code with hidden vulnerabilities, increasing risk through shared or open-source repos.4. Italy's Controversial Piracy ShieldPiracy Shield, Italy's system for blocking pirated content, has mistakenly blacklisted legitimate services like Google Drive. Critics highlight issues around lack of transparency, violations of net neutrality and digital rights, and risks of censorship. Despite backlash, the system is being expanded, raising further concerns.5. EU's Push on Data Access and EncryptionThe EU's ProtectEU strategy includes strengthening Europol into a more FBI-like agency and proposing roadmaps for law enforcement access to encrypted data. This indicates a potential push toward backdoor access, reigniting debates on privacy vs. security.6. Cyberattacks on Australian Pension FundsCoordinated cyberattacks have compromised over 20,000 accounts across Australian retirement funds, with some user savings stolen. The incidents expose vulnerabilities in financial infrastructure, prompting a government initiative to bolster sector-wide cybersecurity.7. Lessons from Oracle's Security BreachesOracle reported two separate breaches in a short span. The latest involved theft of outdated login credentials. These incidents reveal persistent challenges in securing large tech platforms and highlight the need for ongoing security improvements and scrutiny of legacy systems.8. Closure of OpenSNP Genetic DatabaseOpenSNP is shutting down after 14 years, deleting all user data due to rising concerns over misuse of genetic data, especially amid growing political threats from authoritarian regimes. The founder emphasized protecting vulnerable populations and reevaluated the risks of continued data availability versus its research value.

EP 237. DeepMind just released a 108-page manual on not getting wiped out by our own invention.  Highlighting the fact that planning for an AI apocalypse could now be a core business line function.Sigstore machine learning model signing - AI models are finally getting digital signatures, because “mystery code from the internet” just wasn't a scalable trust strategy.Turns out your AI  programmer can be tricked into writing malware.  Helping us understand that “copilot” isn't necessarily synonymous with “competent”.Italy's anti-piracy tool is blocking legit services like it's playing "whack-a-mole" blindfolded, but in this case the moles are  cloud storage, like your Google drive.The EU wants Europol to act like the FBI because privacy for our citizens is important, except when we want to read their encrypted messages.Hackers hit Aussie retirement funds, proving the only thing scarier than blowing through all your retirement money is someone else blowing through it all for you.Oracle's been hacked again—because who doesn't love a sequel with worse security and a bigger cleanup bill?OpenSNP just quit the internet after realizing DNA + authoritarian vibes = one dystopia too many.This week is a wild ride, so saddle up and hold on tight!

1. What are some recent major cryptocurrency hacks, and how were they carried out?High-profile crypto breaches include Bybit (~$1.5B), Ronin Network ($625M), and Poly Network ($611M). Attackers exploited vulnerabilities via social engineering (notably in the Bybit case), smart contract flaws, phishing, and targeted blockchain bridges. State-backed groups are increasingly active in this space.2. How is malware evolving to bypass traditional antivirus tools, and what languages are favored by attackers?Cybercriminals are turning to languages like Rust and Go to create or recompile malware, exploiting blind spots in antivirus tools that rely on static signature detection. These languages also offer cross-platform capabilities and security features that can be weaponized.3. What happened to computer scientist Xiaofeng Wang, and why is it significant?The FBI raided Wang's home—he's a well-known Indiana University expert in cryptography and privacy. Since the raid, he's gone missing, with his online presence scrubbed. The secrecy surrounding his disappearance, combined with his sensitive field of work and Chinese background, raises serious questions.4. Why is AI firm Anthropic sweeping its offices for hidden devices?To combat rising concerns about espionage and IP theft, Anthropic is conducting physical security sweeps. This move reflects heightened tensions in the competitive AI landscape and the growing risk of surveillance and corporate spying in the industry.5. What API security change is Cloudflare making, and why does it matter?Cloudflare is enforcing HTTPS-only access for its API domain by shutting down HTTP ports entirely. This ensures encrypted communication, protecting API tokens and user data, and sets a strong precedent for better internet-wide encryption standards.6. How did Madison Square Garden use surveillance tech to ban a fan, and what does it imply?MSG banned a fan for life after facial recognition identified him as the creator of a CEO-critical T-shirt. This incident underscores the growing use of surveillance in private venues and its implications for free expression and long-term personal tracking.7. What data exposure was found in several dating apps?Researchers found ~1.5M unprotected, sensitive photos—some explicit—exposed by five dating apps from M.A.D Mobile. Images included private messages and content believed to be deleted. This highlights the dangers of poor data hygiene and storage practices.8. What security failure occurred at the UK's GCHQ involving an intern?A GCHQ intern copied top-secret data from a secure system to his personal phone, then transferred it to a home hard drive. This breach reveals critical weaknesses in internal controls, particularly around device security and data exfiltration prevent

EP 236 For the Biggest Crypto Hacks it turns out “HODL” doesn't protect you from miscreants with social engineering degrees.Hackers are now coding in Rust and Go, because multilingual malware is harder to catch.An esteemed University Computer Scientist simply disappears. (See if you can pick up on the clues.)Anthropic expands into AI workplace cleaning, but before you get too excited, they're only sweeping offices for now.Cloudflare slams the door making one well known transfer protocol vanish.Then, design one anti-CEO shirt and "boom" a lifetime ban from Madison Square Garden.Millions of spicy selfies spilled online, and now your privates may be public.And we finish with the burning question of who blew up national security... the intern or GCHQ?Let's go find some explanations.Find the full transcript to this podcast here.

Privacy Risks of 23andMe BankruptcyA breach impacting 7 million users, coupled with lawsuits and financial distress, means 23andMe's 15 million genetic profiles could be sold or misused under a new buyer. The California Attorney General has urged users to delete their data and destroy physical samples, highlighting the vulnerability of storing sensitive genetic information with for‑profit entities under financial strain.Clearview AI's Data Acquisition AttemptsClearview AI tried to buy a massive database of arrest records, mugshots, and personal details (like social security numbers). This would greatly expand its controversial facial recognition repository, fueling concerns about privacy, consent, and misuse by governments or private actors.Hungary's Use of Facial Recognition at Pride EventsHungary banned Pride events and authorized facial recognition to identify attendees, who may face fines under “child protection” laws. Critics view this as an attack on free assembly and expression, especially for LGBTQ+ communities, creating a chilling effect on peaceful protests.China's New Facial Recognition RulesFacial recognition is banned without consent and in private spaces, requiring privacy assessments and encryption. However, these rules exclude “algorithm training,” meaning facial images may still be collected for AI development, undermining the intended privacy protections given China's widespread CCTV presence.US Coordination on Russian Cyber Threats HaltedUS national security agencies ceased joint efforts against Russian cyberattacks, disinformation, and oligarch asset seizures. This abrupt stop raises concerns over weakened defenses against foreign interference, though official explanations remain unclear.Microsoft's Unpatched .LNK ExploitAn eight‑year‑old Windows shortcut (.LNK) exploit persists, with Microsoft labeling it a “UI issue” rather than a security flaw. Attackers, including state‑sponsored groups, hide malicious commands in whitespace, leaving users vulnerable to spying and data theft.Windows 10 End of SupportWith support ending in October 2025, Microsoft urges users—over half of its Windows base—to buy new hardware for Windows 11. This approach overlooks the financial burden on many and disregards feasible upgrades or affordable alternatives for existing devices.Dutch Universities Shifting Away from WhatsAppSchools such as Utrecht and Avans recommend moving to Signal over privacy and misinformation concerns tied to WhatsApp's data‑sharing practices. Signal's strong encryption, open‑source nature, and non‑profit status align with the need for secure, private communication in educational settings.

EP 235 The IT Privacy and Security Weekly Update and a Gene Genie for the Week Ending March 25th., 20253/25/20250 CommentsEP 235. ​- click the pic to hear the podcast -DNA of 15 Million People For Sale.  Turns out your great-great-grandparents' DNA is now a going-out-of-business clearance sale!"Clearview Tried to Buy Social Security Numbers and Mugshots.  Shopping list: milk, eggs, 690 million arrest records, and a side of your soul.Hungary Uses Facial Recognition to Suppress a Pride March—because nothing says “freedom” like being fined for your face.China says no facial recognition in hotel rooms—so go ahead and enjoy your surveillance-free shower while it lasts.US Agencies Halt Counter-Russian Cyberattack Coordination to stop Russian cyber sabotage and, what could possibly go wrong?Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit.  Maybe it's a new cybersecurity policy, "If we ignore it long enough, perhaps it'll go away!"Then, If you have a Windows 10 machine and can't install Windows 11, Microsoft suggests a fix.  Buy a new computer and maybe get a second job.And finally, Dutch universities to WhatsApp, "It's not you, it's us.  We just can't get comfortable with your data hoarding."Let's go try on some genes!Find the full transcript to this podcast here.

1. Why Should I Change My Passwords Immediately?Recent studies show that around 50% of online passwords are already compromised, and 41% of successful logins involve breached credentials. Common passwords like “123456” and password reuse make it easy for cybercriminals—especially with automated bots—to access multiple accounts. Changing passwords and using unique, strong credentials with multi-factor authentication is critical for security.Starting March 28th, all Alexa requests will be processed in Amazon's cloud, regardless of previous settings. Amazon claims this supports new AI features, but it means even users who opted out of saving voice recordings will now have all interactions recorded and sent to Amazon. This also impacts features like Voice ID, which won't function without stored voice data. While Amazon encrypts transmissions and provides some privacy controls, this shift raises concerns about increased data collection and potential personalization for shopping.Microsoft will stop providing free security updates for Windows 10 in October 2025, leaving charities that refurbish and donate older PCs with limited options. Many of these computers cannot run Windows 11, forcing organizations to choose between using an insecure OS, transitioning to Linux, or discarding hardware—contributing to electronic waste. While Linux is a secure, free alternative, its unfamiliar interface may pose usability challenges for some recipients, especially seniors.StilachiRAT is a newly discovered remote access trojan (RAT) targeting cryptocurrency wallets like MetaMask and Coinbase Wallet. This malware remains undetected on infected systems, stealing sensitive data, including credentials stored in browsers like Chrome. By accessing login credentials, attackers can drain funds from wallets. StilachiRAT also collects system data, increasing victims' exposure. While not widespread yet, its advanced capabilities make it a serious threat to crypto users.A Chinese state-sponsored hacking group remained undetected in a small Massachusetts power utility for over 300 days, showing that even lesser-known infrastructure is a target for cyber espionage. Attackers can use these breaches to test methods, gain footholds in critical networks, and extract operational data such as grid layouts. This underscores the need for robust security measures, continuous monitoring, and multi-factor authentication for all organizations, especially in critical sectors.Anthropic CEO Dario Amodei warns that state-sponsored actors, likely from China, are trying to steal “algorithmic secrets” from US AI firms. Some critical algorithms, despite representing massive investments (potentially $100 million), are just a few lines of code, making them easy to exfiltrate if security is breached. Amodei argues that the US government should take stronger action to protect these assets from industrial espionage.Allstate Insurance's National General unit had websites that displayed personally identifiable information (PII) in plaintext during the quote process. When users entered their name and address, the system exposed full driver's license numbers (DLNs) of the applicant and other residents at that address. Attackers used bots to harvest at least 12,000 DLNs, leading to fraudulent claims. This highlights the importance of secure website design and responsible data handling to prevent unauthorized access.

EP 234For the other 50%.  The IT Privacy and Security Weekly Update for the Week Ending March 18th., 20253/18/20250 CommentsEP 234- click the pic to hear the podcast -For our first story, Apparently there's a 50% chance your password is headlining a hacker convention.  Perhaps it's time to change up from ‘123456' (still the most commonly used password).Starting On March 28, Everything You Say To Your Echo Will Be Sent To Amazon.  Alexa's new motto: ‘Anything you say can and will be used—to personalize your shopping cart, and we mean potentially anything!'The end of Windows 10 Leaves PC Charities With Tough Choice:  Risk Windows 10, embrace Linux, or send Grandma's old PC straight to the tech graveyard?Then Microsoft flags a new threat draining crypto from top wallets.  Meet StilachiRAT, the malware so enthusiastic about your crypto it'll snatch it faster than you can configure your wallet software!Chinese Hackers Sat Undetected in a small Massachusetts power utility for months.  Who knew a cozy little power company could double as the perfect 300-day Airbnb for homeless cyber-spies?Anthropic CEO Says Spies Are After $100 Million AI Secrets in a 'Few Lines of Code'.  So when your fortune fits in a handful of lines, hitting Ctrl+C could be the new diamond heist.Finally,  Allstate Insurance gets sued for delivering PII in plaintext.  You're in good hands with Allstate, we just can't tell you whose.Let's update the other 50%!Find the full transcript to this podcast here.

EP 233.5 Key Cryptocurrency Threats & ScamsIn 2025, crypto remains a hotspot for scams like Ponzi schemes, fake ICOs, pump-and-dumps, phishing attacks, and malicious wallets or exchanges designed to steal funds. Social media is often used for deceptive giveaways, impersonations, and investment scams. Other risks include fake mining operations, rug pulls, fraudulent apps, SIM swapping, and impostor tech support.AI Skills Demand in the Tech Job MarketAI expertise is increasingly sought after, with about one in four U.S. tech job postings requiring AI-related skills. This trend cuts across industries like healthcare, finance, and professional services. Although overall tech job postings have dipped, AI job listings have surged since ChatGPT's launch, offering premium pay and higher job security.What Is Free95?Free95 is an open-source operating system on GitHub aiming for Windows compatibility without the bloat. It currently supports basic Win32 programs, with future plans for DirectX and gaming. Its creators prioritize security, simplicity, and independence from major corporate control, positioning it as a leaner alternative to systems like ReactOS.DOJ Push for Google to Sell ChromeThe U.S. Department of Justice still wants Google to divest Chrome, citing an illegal monopoly in search. The DOJ argues that selling Chrome would create room for genuine competition. While it continues to push for restrictions on Google's paid search placement deals, it has dropped calls for Google to shed AI start-up investments.Edge Computing on the ISSAxiom Space and Red Hat's AxDCU-1 data center on the ISS tests cloud, AI, and cybersecurity in orbit. Red Hat's Device Edge software enables real-time data processing in space, crucial due to limited satellite links with Earth. This development could boost AI training, imaging, cybersecurity, and overall autonomy in space operations.Undocumented ‘Backdoor' in a Chinese Bluetooth ChipResearchers found hidden commands in the ESP32 microcontroller, used in over a billion devices. Attackers could exploit these commands to impersonate devices, steal data, or infiltrate networks. The chip's widespread adoption in smartphones, locks, and medical equipment heightens the security risk, as attackers might gain long-term control.Security & Privacy Concerns of ‘Agentic AI'Signal President Meredith Whittaker warns that agentic AI requires broad system access, potentially gathering financial, scheduling, and messaging data with near-root permissions. This could break down privacy barriers between apps and introduce significant security risks, especially if sensitive data is processed in the cloud.Expanded Social Media Screening for Non-CitizensThe U.S. is considering extending social media checks beyond new arrivals to all non-citizens applying for benefits like permanent residency or citizenship. This raises privacy concerns, as individuals who entered before such screenings were routine may now face additional digital scrutiny when adjusting their immigration status.

EP 233This week...  is seized Crypto Linked to LastPass? Feds pocket $23M in hot crypto—but with hackers still sitting on hundreds of millions, it's like finding loose change in the couch.Signal's boss says our ‘magic AI butler' needs root access to everything.  What could possibly go wrong?AI is Reshaping Tech Jobs and with nearly one in four tech gigs demanding AI skills, either learn to talk to robots or prepare to serve them coffee."Your Bluetooth toaster might secretly be dialing up hackers—because who doesn't love a little espionage with their morning bagel?With the UK quietly removing encryption advice, Brits wake up to find official security tips gone, like a polite note saying ‘We'd prefer you in clear text, chaps.'Indian tax officials are granted sweeping digital access and can now dig through socials, emails, and maybe grandma's recipe folder.  Nothing's sacred if there's tax to be had.Elon's empire takes another DDoS beating—Dark Storm claims credit, X users just want their snarky tweets back."We finish with the discovery of a Fake Website Spewing AI Slop that topped Google Search.  AI conjures space fantasies that outrank real news and it turns out that even Google can't spot the Millennium Falcon imposter.Let's keep it safe.Find the full transcript to this podcast here.

How did Microsoft's Copilot expose private GitHub repositories, and what are the risks?Copilot accessed over 20,000 private GitHub repositories due to cached data from when they were public. Even after repos were made private, Copilot could still generate responses using this cached data, risking exposure of sensitive information like credentials and corporate secrets.What is the "nRootTag" exploit in Apple's Find My network?The "nRootTag" exploit allows attackers to track Bluetooth devices like AirTags without owners knowing. While AirTags use cryptographic keys to change Bluetooth addresses, attackers can rapidly compute these keys using GPUs, achieving a 90% tracking success rate.Why is the UK demanding an iCloud backdoor, and how has Apple responded?The UK wants access to encrypted iCloud data for law enforcement, but Apple opposes it, withdrawing its Advanced Data Protection from the UK. The US has also criticized the demand as a privacy and legal overreach.Why is Signal withdrawing from Sweden?Signal is leaving Sweden over proposed laws requiring backdoor access to encrypted chats. The company refuses to weaken encryption, emphasizing its commitment to user privacy.Why has the US reportedly halted offensive cyber operations against Russia?The US Cyber Command, under Defense Secretary orders, has paused cyber attacks on Russia, possibly for diplomatic reasons. Supporters see it as de-escalation; critics worry it weakens deterrence against Russian cyber threats.Why has Australia banned Kaspersky Lab products?Australia banned Kaspersky from government systems, citing espionage and foreign interference risks. The move signals concerns over antivirus software's deep system access and the company's Russian ties.How was a Cellebrite exploit used to hack a Serbian student's phone?A Cellebrite zero-day targeting Android's Linux kernel USB drivers allowed attackers with physical access to bypass the lock screen. This raises concerns over surveillance tools being misused against activists.What changes did Mozilla make to Firefox Terms of Use, and why was there backlash?Mozilla initially claimed broad rights over user-submitted content, sparking fears of data monetization. After criticism, they revised the terms, clarifying user ownership and denying AI data harvesting.

This week:  Microsoft's Copilot is living up to its name—because apparently, once it gets a glimpse of your code, it just can't unsee it.Hackers just turned every Bluetooth device into an involuntary AirTag—so congrats, your wireless headphones are now a tracking device.The UK wants a backdoor to look into iCloud, and the US just responded with a very diplomatic “absolutely not.”Sweden wanted a backdoor, but Signal ghosted them instead—because encryption doesn't do toxic relationships.The US was cyber-attacking Russia? Shocking!  Next you'll tell us we need stronger glasses.Australia finally decided that letting Russian software protect their government computers was like asking an elephant to deliver eggs.Cellebrite's phone exploits are so good, even governments can't resist misusing them.Mozilla accidentally claimed ownership of everything you type into Firefox, then backtracked faster than a politician caught on a hot mic.We can see for miles and miles.  Come on, let's focus in for a better look.Find the full transcript to this week's podcast here.

Which AI chatbots pose the biggest privacy risks, and what data are they collecting and sharing?A recent study revealed that all top ten AI chatbots on the Apple App Store collect user data, with 30% sharing it with third parties for advertising or measurement. Specific incidents include an AI chatbot named WotNot exposing 346,000 sensitive customer files and ChatGPT facing temporary bans over the use of personal data for model training without user consent. The advice is to treat chatbots like untrustworthy coworkers and avoid sharing sensitive personal information.Why did Apple remove its Advanced Data Protection (ADP) feature in the UK?Apple removed its Advanced Data Protection (ADP) feature, which provided end-to-end encryption for iCloud data, in the UK after the government ordered the company to build a backdoor for accessing user data. Apple chose to remove the feature entirely rather than compromise the security of its encryption. This action raises concerns about governments potentially outlawing strong encryption, which could reduce security for everyone and expose users to greater risks from surveillance and other bad actors.What are VPN providers in France and Spain facing, and why are they considering leaving the French market?In France, entertainment companies are pushing for legal action to force VPN providers to block access to pirate sites. In Spain, Cloudflare has been blocked on weekends after being accused of hosting pirate streaming sites. VPN providers argue that these demands are risky and could lead to security vulnerabilities and excessive blocking, compromising their core mission of providing legitimate privacy and security services. What is California doing to enforce data privacy, and what measures should individuals take to protect their data?California is taking a "radical" approach by actively enforcing its privacy laws through the California Privacy Protection Agency. This agency is tasked with investigating violations, issuing fines, and educating businesses about compliance. To protect your data, scrutinize app permissions, check browser extensions for suspicious activity, monitor location requests, be mindful of voice assistant settings, and disable unnecessary tracking features on wearables. What issues are users experiencing with the latest Windows 11 update (KB5030310)?The latest Windows 11 update, KB5030310, is causing various issues, including File Explorer freezing or crashing, vanishing icons, locked windows, and problems with multi-monitor setups. Some users have also reported silent or disappearing notifications.What is the "Uber for armed guards" service, and why is it gaining traction?Protector, an app providing on-demand armed security similar to Uber, is gaining traction in NYC and LA. Users can book armed guards, described as active or retired law enforcement and military, complete with a motorcade of Escalades.What security vulnerability was discovered in MESH by Viscount access control systems, and what are the implications?A significant vulnerability was discovered in MESH by Viscount access control systems due to unchanged default login credentials. This allows unauthorized individuals to access the systems remotely, view sensitive resident data (names, unit numbers, phone numbers), and manipulate building access controls, including unlocking doors and disabling access fobs.What is "surveillance pricing," and what are states doing to combat it?"Surveillance pricing" is a tactic where companies use personal data, such as browsing history and spending habits, to hike up prices for consumers. States are stepping up to ban or limit these practices to promote fairer prices and stronger privacy protections. Individuals can protect themselves by monitoring for unexplained price jumps, regularly clearing browsing data, disabling unnecessary tracking, and questioning excessive permission requests.

EP 231 This week we wonder which chatbot takes "sharing is caring" a little too far. Turns out some of them are spilling secrets faster than the office gossip at happy hour.Apple just told the UK, ‘You want a backdoor? Fine—we'll just remove the whole door.France wants VPNs to stop streaming soccer pirates—because obviously the best way to protect privacy is to ban it entirely.California's cutting-edge privacy strategy? Actually enforcing the law.  Who knew that was an option?Microsoft's latest Windows 11 update: because sometimes you need a brand-new bug to make you forget the old ones.Uber with Armed Guards:  Now you can hail a bodyguard the same way you hail a taxi—apparently commuting got a whole lot scarier.If your building's master key is this public don't be shocked when you arrive home after work and the inlaws are waiting for dinner.Tired of costly coconuts because your phone snitched on your spending habits? Some states are finally calling out this ‘personalized' markup as nuts.Race you to the fresh produce section!Find the full transcript to this podcast here.

1. What happened with Elon Musk's DOGE (.gov) website, and why is it significant?DOGE's official website, doge.gov, suffered a significant security breach due to a glaring vulnerability. The site's database was accessible and editable by the public because it was built on Cloudflare Pages instead of secure government servers. This allowed unauthorized individuals to modify content, highlighting a lack of stringent cybersecurity measures in government websites managed by DOGE. It demonstrates a lapse in basic security practices and raises concerns about the overall security and professionalism of government websites.2. What are the risks associated with employees sharing data with generative AI chatbots like ChatGPT, and what are companies doing about it?A substantial percentage (8.5%) of employee interactions with generative AI tools involve sensitive data, such as customer information (billing details, insurance claims, etc.). This raises significant security, compliance, privacy, and legal concerns for organizations. Sharing sensitive data with AI tools can lead to data breaches and leaks. Some companies, like Samsung, have prohibited the use of generative AI systems to prevent the inadvertent upload of confidential company information to external servers. The increasing integration of AI into workplace tools necessitates a reevaluation of data security protocols.3. Why was DeepSeek, the Chinese AI chatbot, removed from South Korean app stores?DeepSeek was removed from South Korean app stores due to privacy concerns identified by the Personal Information Protection Commission (PIPC). The PIPC found that DeepSeek lacked transparency about sharing user data with third parties and potentially collected excessive personal information. The app's data practices might violate local privacy laws. Similar actions have been taken in other countries and regions, indicating a global concern over DeepSeek's data handling.4. Who are "Salt Typhoon," and what are they doing?Salt Typhoon is a Chinese hacking group that continues to infiltrate global telecommunications networks despite U.S. sanctions. They exploit vulnerabilities in Cisco routers and switches to gain unauthorized access to sensitive data. They have breached telecom companies, internet service providers, and universities across multiple countries, including the U.S. Their targets are often entities involved in advanced research in telecommunications, engineering, and technology.5. How can individuals protect themselves from cyber espionage activities like those carried out by Salt Typhoon?Individuals can protect themselves by regularly updating the security patches on their personal devices, especially routers and switches. It is also recommended to use end-to-end encrypted messaging apps like Signal or Session for secure communication.6. What is the German Cartel Office's concern regarding Apple's App Tracking Transparency (ATT) feature?The German Federal Cartel Office is investigating whether Apple's ATT feature constitutes an abuse of power. The concern is that Apple's privacy policies may inadvertently give it a competitive advantage over other companies reliant on advertising tracking.7. What is PIN AI, and what does its new mobile app do?PIN AI is a company that has launched a mobile app allowing users to create their own personalized, private AI model directly on their smartphone. The AI models created are powered by DeepSeek or Llama.8. How is AI impacting the IT job market, and what can IT professionals do to adapt?AI is having a significant impact on the IT job market, with IT unemployment rising to 5.7% in January, surpassing the overall jobless rate. Major companies are implementing layoffs linked to cost-cutting measures and a growing reliance on AI technologies. To adapt, IT professionals need to retrain and stay at the cutting edge of technology.

In this week's update:  Musk's DOGE website gets more editing than his tweets.Employees sharing secrets with AI chatbots prove humans haven't learned anything from social media oversharing.South Korea puts DeepSeek in the digital doghouse until it learns to play nice with privacy rules.Chinese hackers show that even after sanctions, you can't stop a Salt Typhoon with an umbrella.Apple's privacy features are too private for Germany's taste - plot twist nobody saw coming.Finally, an AI that promises to keep your secrets... on your phone, where you'll probably still accidentally share them anyway.AI takes tech jobs, and proves it learned "layoffs" from watching human managers.Let's go unearth those secrets!Find the full transcript to this podcast here.

Frequently Asked Questions: Privacy, Security, and the State of Tech (Early 2025)1. What is "SparkCat" and why is it significant?SparkCat is malware discovered hiding in both the Apple App Store and Google Play. It uses optical character recognition (OCR) to scan users' photo galleries for cryptocurrency wallet recovery phrases and uploads them to attacker-controlled servers. Over 242,000 Android users downloaded infected apps. It highlights the evolving sophistication of malware and the need for increased vigilance, even with apps from reputable sources.2. What is the UK government asking Apple to do, and what are the potential implications?The UK government has reportedly ordered Apple to create a backdoor allowing access to encrypted cloud backups of users worldwide, through a technical capability notice under the Investigatory Powers Act. Apple is likely to discontinue its encrypted storage service in the UK rather than compromise user security globally. If Apple complies, it could set a dangerous precedent for other governments to demand similar access, undermining encryption and weakening security for everyone.3. What is the story about the man trying to buy a landfill, and what does it illustrate?A man is trying to buy a landfill to search for a hard drive containing his lost Bitcoin fortune. While seemingly absurd, it illustrates the very real consequences of poor digital asset management and data security. It highlights the permanence (and potential inaccessibility) of digital assets and the lengths people will go to recover them, even resorting to extreme measures.4. Why is the US considering banning the DeepSeek AI app?The US is considering banning the Chinese AI app DeepSeek due to concerns that it collects data for a foreign government (China). The app pumps data to China Mobile unencrypted, and there are close ties between the company and the Chinese military. This aligns with the US government's broader concerns about foreign-owned apps, especially those from China, posing national security risks due to data privacy and potential surveillance.5. What is the massive brute-force attack targeting VPNs, and how can organizations protect themselves?A large-scale brute-force attack is targeting VPN devices from companies like Palo Alto Networks, Ivanti, and SonicWall, utilizing nearly 2.8 million IP addresses. Attackers are attempting to guess usernames and passwords to gain unauthorized access. To protect edge devices, organizations should change default admin passwords to strong, unique ones, enforce multi-factor authentication (MFA), use allowlists of trusted IPs, and disable web admin interfaces if they are not needed, and also ensure VPN software is fully up to date.6. Why is Google's removal of its pledge not to build AI for weapons or surveillance significant?Google's removal of its pledge not to build AI for weapons or surveillance is a concerning development. It suggests a shift in the company's ethical stance and a willingness to potentially engage in activities that could have negative consequences for human rights and global security. It raises questions about the future direction of AI development and the role of tech companies in shaping its use.7. What is "enshittification" and how does it relate to current tech trends?"Enshittification" refers to the gradual decline of online services as they prioritize profits over user experience. This process involves platforms initially offering value to users, then shifting focus to business customers, and finally exploiting both for maximum profit. Examples include Twitter restricting API access, Facebook prioritizing sponsored content, smart TVs becoming data-hungry ad machines, and Google Assistant's diminishing functionality. It reflects a broader trend of tech companies sacrificing user experience for financial gain.

Episode 229If your seed phrase was in your photo gallery, congratulations! You might have just funded North Korea's next Missile launch.The UK government just asked Apple to make privacy optional—because nothing says "secure" like a government-mandated security hole.A man wants to buy an entire rubbish tip to find his lost Bitcoin hard drive—because sometimes, your financial future is literally garbage.The US is considering banning a Chinese AI app, proving once again that if it's cheap, efficient, foreign, unencrypted, and collects data for a foreign government it's probably too good to be true.Massive VPN Attack – 2.8 million IPs are trying to brute-force their way into VPNs—because apparently, resetting the default admin credentials to a "strong password" is still too much to ask.Google quietly removed its promise not to build AI for surveillance or weapons, so expect "Don't Be Evil" to disappear completely in a rev. or two.If your smart TV, social media, and AI assistants feel like they hate you, it's not paranoia—it's capitalism, or that other word we can't repeat here.Earth's Inner Core Is Changing – Scientists say the Earth's core might be slowing down, which is great, because the last thing we needed was more things spinning out of control.Let's go digging!Find the full transcript to this podcast here.

What is the primary concern regarding the use of WhatsApp and other encrypted messaging apps recently? Recent reports indicate that spyware, specifically "Graphite," has been used to target journalists and civil society members through zero-click attacks on encrypted apps like WhatsApp, Telegram, and Signal. This means that these apps are not as secure as previously thought, even though they employ end-to-end encryption. The spyware can infect devices without any user interaction and potentially compromise communication data. What are the security vulnerabilities identified in certain healthcare patient monitors? The FDA has highlighted cybersecurity issues in Contec's CMS8000 and Epsimed's MN-120 patient monitors. These devices, when connected to the internet, are susceptible to unauthorized remote control, software backdoors, and data breaches containing personal health information. One backdoor was linked to a Chinese IP address, raising additional concerns about foreign access to sensitive health data. Why has the Chinese AI chatbot, DeepSeek, been banned in Italy and Taiwan? Italy's data protection agency blocked DeepSeek because its developers did not adequately explain how user data is collected or confirm whether it's stored on Chinese servers. Taiwan's digital ministry also banned the use of DeepSeek by government departments, citing security concerns related to its Chinese origin. What led to DeepSeek's data being exposed online and what kind of information was affected? Cybersecurity firm Wiz discovered a significant amount of sensitive data from DeepSeek was left unsecured on the open internet due to an apparent misconfiguration. This data included over a million lines of data such as digital software keys and user chat logs. What is Senator Hawley's proposed bill regarding Chinese AI models, and what could be the consequences for individuals? Senator Josh Hawley has introduced the "Decoupling America's Artificial Intelligence Capabilities from China Act," which aims to criminalize the import, export, and collaboration on AI technology with China. Under the proposed law, knowingly downloading a Chinese AI model, such as DeepSeek, could lead to severe penalties, including up to 20 years in prison, a million-dollar fine, or both. The bill reflects growing concerns about national security and the potential for China to leverage AI for hostile purposes. How is Amazon being accused of tracking consumers, and what type of data are they allegedly collecting? Amazon is facing a class-action lawsuit accusing the company of secretly tracking consumers' movements through their cellphones via its Amazon Ads SDK, embedded within third-party apps. It's alleged that the SDK collects sensitive geolocation data without users' explicit consent, such as IP addresses, location, ISP, device info, and network performance metrics. This data is used to build a detailed picture of consumers' habits and preferences, raising privacy concerns about corporate surveillance. What restrictions are being placed on open-source contributions, and who is being affected? The US Office of Foreign Assets Control (OFAC) sanctions are imposing restrictions on open-source contributions from sanctioned individuals and countries. Developers from nations such as Russia, Iran, and North Korea are facing challenges when contributing to open-source projects due to these sanctions. How is Cloudflare addressing image authenticity concerns, and what are the potential benefits? Cloudflare has implemented Content Credentials, a system based on C2PA standards, that embeds metadata into images to track their origin and modifications. This system helps distinguish between genuine and manipulated content. The benefits are significant, as Cloudflare's network handles approximately 20% of global internet traffic, greatly increasing the potential reach of the system. This helps create trust in digital images, and preserves the work of digital creators.

First, for some, it looks like WhatsApp chats weren't just end-to-end encrypted—they also came with a side of espionage.​Then... your heart monitor might be more interested in Beijing than in your beats per minute.deepseek AI Blocked in Italy & Taiwan, Welcomed in India – "Two countries said ‘no way,' one said ‘namaste'—deepseek's global tour has some mixed reviews."And what happens when your AI chatbot leaks more secrets than a reality TV star's DMs.Senator Hawley's AI Ban Proposal – take us from deepseek to Despair.Then it turns out Amazon may know more about your whereabouts than your mom does when you ignore her calls."Devs., the US is blocking open-source contributions from sanctioned individuals and countries.  That's a lot to keep track of when you are donating your time. Cloudflare enables content credentials – "Finally, a way to prove your photo was taken by you, and not a random AI with too much free time."If life sometimes seems like a casino, where there ae too many ways to lose a lot of money fast, we have a spirited response.  Let's go get the detail.  Find the full transcript here.

What is "surveillance pricing" and how does it affect me? Surveillance pricing is a practice where online retailers adjust prices based on your personal data, such as location, browsing history, and demographics. Companies collect data like mouse movements and items left in your shopping cart to determine what you're likely willing to pay. This can lead to different individuals being offered varying prices for the same product. To mitigate this, consider using VPNs, browser extensions that block tracking, regularly clearing browser cookies, and being cautious about the personal information you share online. What car vulnerabilities were recently discovered, and how can I protect myself? Security researchers recently found vulnerabilities in Subaru's web portal, allowing remote control of vehicles, including unlocking doors, starting the engine, and tracking location. Millions of Subaru vehicles with Starlink digital features were potentially affected. While Subaru has patched the identified flaws, it's crucial for all car owners to ensure their software is up-to-date. This is part of a larger trend of security issues in the automotive industry, so vigilance is essential. How is Meta using my data with its new AI, and can I opt out? Meta's new AI chatbot will use personal data from your Facebook and Instagram accounts to personalize its responses. This includes information from previous conversations, dietary preferences, and interests. Unfortunately, there is no option to opt out of this data-sharing feature. What was the recent ruling about the FBI's access to Americans' private communications? A federal court ruled that backdoor searches of Americans' private communications collected under Section 702 of FISA are unconstitutional without a warrant. This ruling found that even if the government can lawfully collect communications between foreigners and Americans, it can't search those communications without a warrant when those searches involve US persons. This stems from a case where the FBI searched emails of a US resident, collected under the premise of foreign intelligence, without a warrant. The court found this to be a Fourth Amendment violation. What are the dangers of North Korean IT workers, and how can we protect our companies? The FBI has warned that North Korean IT workers are abusing their access to steal source code and extort U.S. companies. They often copy company code repositories, harvest credentials, and initiate work sessions from non-company devices. To mitigate these risks, companies should apply the principle of least privilege, limit permissions for remote desktop applications, and monitor for unusual network traffic. Additionally, it is important to recognize that these workers may log in from different IPs over a short period. What is the new threat to the European power grid, and what makes it so concerning? Researchers have discovered that renewable energy facilities across Central Europe use unencrypted radio signals to control how much power is sent into the grid. By reverse-engineering the signals, they found they could potentially manipulate the system to cause widespread disruptions, including a grid-wide outage. The lack of encryption on these systems and the ability to control large amounts of energy poses a significant risk, especially considering current geopolitical tensions. What is the significance of DeepSeek's R1 model and how does it compare to models like OpenAI's? DeepSeek's R1 model is an open-source large language model (LLM) that offers open weights, allowing users to run it on their own servers or locally. It challenges OpenAI's proprietary model by providing a more cost-effective and accessible AI solution. DeepSeek uses a technique called distillation, where existing LLMs train new, smaller models. The emergence of R1 suggests a shift towards more commoditized AI and potentially increased accessibility and customization. What are some common types of cyber attacks and how can I defend against them? The sources list 21 common cyber attacks including: malware, phishing, ransomware, drive-by downloads, cross-site scripting (XSS), SQL injection, man-in-the-middle (MitM) attacks, DDoS attacks, password attacks, insider threats, credential stuffing, zero-day exploits, social engineering, session hijacking, eavesdropping, watering hole attacks, DNS spoofing, IoT attacks, supply chain attacks, brute force attacks, and spyware. Preventative measures involve using antivirus software, updating systems, avoiding untrusted downloads, verifying emails, using spam filters, performing regular backups, having strong firewalls, enabling MFA, monitoring activities, restricting access to risky sites, securing cookies, and training employees to recognize suspicious activity. The best way to stay protected is to stay informed. Keep listening

EP 227 In this week's update we present 21 Cyber attacks and a self defense program to stop and drop every single one of them.Shopping online? Your browsing habits might be telling stores you're willing to pay double.Congratulations to Subaru owners as the latest stars in ‘Hack My Ride.'Meta's new AI buddy knows your secrets—and nope, there's no "off" button for this overshare.The FBI just discovered that the Constitution wasn't keen on them peeking at your emails without a warrant.Your ‘remote coworker' from Pyongyang isn't just burning the midnight oil—he's burning a hole in your source code.And for the EU, renewable energy is great until someone tunes in and turns it all off.Move over ChatGPT; DeepSeek's open-source AI is here to make ‘big and secretive' look so last year.This week's update is the best yet, so let's start counting! Find the full transcript here.

Data Privacy, Security, and Tech Trends in Early 2025 1. What was the scale of healthcare data breaches in the U.S. during 2024? In 2024, the U.S. healthcare sector experienced a massive surge in cyberattacks, with approximately 720 reported breaches compromising an estimated 186 million user records. This exposed a vast amount of sensitive information, including names, contact details, Social Security numbers, and medical histories. This is approximately 56% of the US population. 2. How did UnitedHealth handle its data breach notification, and what are the implications for affected individuals? UnitedHealth, specifically its subsidiary Change Healthcare, attempted to obscure its data breach notification webpage from search engines, making it difficult for the over 100 million affected individuals to learn about the incident. They used a “noindex” tag to keep it out of Google, burying the story of their breach. This led to widespread confusion and further distrust of the company. It also highlights how companies can use search engine optimization to hide breaches by burying the real stories. 3. What is GeoSpy, and what privacy concerns does it raise? GeoSpy is an AI tool that can accurately predict the location of photos based on features within the images, such as vegetation, architecture, and spatial relationships. Originally available to the public, it's now marketed to law enforcement and government agencies. This technology raises serious privacy concerns, as it can be used by stalkers or other malicious actors to geolocate individuals from publicly available photos. The tool is now available to law enforcement and enterprise users, and some versions of it are more powerful than what was offered to the public. 4. What restrictions were placed on General Motors (GM) regarding the sale of driving data? The Federal Trade Commission (FTC) banned GM and its subsidiary OnStar from selling customer geolocation and driving behavior data for five years. This action followed an investigation that revealed GM had been collecting and selling detailed driving information to insurance companies without obtaining explicit consent from vehicle owners. 5. What is the UK's new digital wallet app, and what types of documents will it support? The UK is launching a digital wallet app called GOV.UK Wallet, allowing citizens to store government-issued documents on their smartphones. Initially supporting veteran cards, it will expand to include driver's licenses in late 2025, with plans to add passports, marriage certificates, and benefit documents by 2027. 6. What security risks are associated with failed startups and "Sign in with Google" features? Former employees of failed startups using "Sign in with Google" features are vulnerable to data breaches. Hackers can exploit abandoned company domains and the associated Google login systems to access sensitive information stored in business software like Slack, Notion, and HR systems, including social security numbers. This vulnerability is particularly relevant to startups that used the ""Sign in with Google"" function. 7. What challenges did Amazon employees face following the mandatory return-to-office policy? Amazon's mandate for a full return to the office resulted in significant challenges for employees, including a shortage of desks and meeting rooms, overcrowded parking facilities, and an increase in workplace thefts. The policy has also been criticized for forcing employees into video calls that could have been easily conducted remotely, and some employees reported that there is a lack of trust amongst colleagues. 8. What are the $TRUMP and $MELANIA coins, and what controversies are surrounding them? Donald and Melania Trump introduced meme coins named $TRUMP and $MELANIA on the Solana blockchain. These coins quickly gained significant value, raising concerns about potential conflicts of interest and market manipulation.

EP 226 In 2024, hackers gave U.S. healthcare a crash course in oversharing—186 million records spilled, proving patient privacy is still on life support.UnitedHealth tried to bury its breach notice deeper than your inbox's spam folder, leaving 100 million victims googling in vain. A new AI tool can guess your photo's location faster than your nosiest neighbor—use portrait mode, or prepare to be geo-tagged! GM got caught selling your driving secrets—now they're banned for five years, but your insurance premium probably isn't impressed.The UK's digital wallet promises to declutter drawers, but we're still skeptical it'll clear up the chaos in government paperwork. Failed startups are gifting hackers access to your personal data—proof that your old Google login can haunt you more than your ex.Amazon's return-to-office plan lacks desks, parking, and common sense—so much for those “collaboration” benefits.Forget NFTs—Trump's $TRUMP and $MELANIA coins promise to make your wallet great again.Why wait a second longer?  Let's find out what all the fuss is about. Find the full transcript to this podcast here.

Tech & Privacy FAQ - Week of January 14th, 2025 1. What's this new job referral "side hustle" all about? Some tech workers are making up to $30,000 by referring strangers for job openings. They connect with job seekers through platforms like Blind and Glassdoor, and sometimes use services like Refer Me and Refermarket to facilitate these referrals, even charging a fee. While referrals can improve hiring odds, this trend raises questions about authenticity and potential abuse. 2. Why is the Texas Attorney General cracking down on data privacy? Texas AG Ken Paxton is taking a strong stance on data privacy. He's issued warnings to companies like Sirius XM and apps like MyRadar for allegedly sharing user data without consent. He's also suing Allstate for secretly collecting driver data via cellphone apps and car manufacturers to raise premiums. Texas seeks restitution for consumers, damages, and hefty fines. 3. The EU fined itself for a GDPR violation? Seriously? Yes! The EU General Court fined the European Commission €400 for transferring a citizen's IP address to Meta in the US without proper safeguards. While a small fine, it sets a precedent and shows the EU's commitment to enforcing GDPR, even on its own institutions. 4. Is my data at risk from quantum computers? Experts warn that quantum computers, still in their early stages, could eventually crack current encryption methods. While not an immediate threat, it's wise to start researching "quantum-resistant" solutions to safeguard your data in the future. 5. How are hackers using AWS to hold data hostage? A ransomware group called Codefinger is exploiting stolen AWS keys to encrypt data in S3 buckets using AWS's own encryption. They then demand a ransom and set a timer to delete the data within a week. This highlights the need for strong IAM policies and regular key audits on AWS. 6. What are the latest trends in cyberattacks? Cybercriminals are shifting from email-based malware to browser-based attacks like drive-by downloads and malicious ads. Compromised credentials are a growing problem, often obtained cheaply from fraud marketplaces. Staying updated with software, using ad blockers, and being cautious online are crucial. 7. What's the T3 Financial Crime Unit doing about crypto crime? The T3 FCU, a collaboration between TRON, Tether, and TRM Labs, is actively combating crypto-related crime. They recently froze over $100 million in illicit assets across five continents. This highlights the importance of public-private partnerships in blockchain security. 8. Who was behind the massive WazirX crypto hack? The US, South Korea, and Japan have jointly confirmed that North Korea's Lazarus Group orchestrated the $235 million WazirX hack. This incident reinforces the need for strong security measures within the cryptocurrency ecosystem and emphasizes the threat posed by state-sponsored hacking groups.

EP 225 This week referring strangers for jobs is the new tech hustle... Proof that even networking has gone freelance.The Texas AG claims apps and insurers are snooping so hard they probably know your snack habits while he goes for big lunch money.The EU just fined itself €400 for breaking GDPR, demonstrating that even bureaucracies aren't above self-sabotage.Your data's safe today, but quantum computers might soon laugh at your encryption like it's a flip phone.Hackers use AWS to lock your AWS data; like robbers stealing your house keys and using them to lock you out.Step aside Phishing, browser hacks are the new cybercrime hotness; update your apps before they update your bank balance.T3 FCU froze $100 million in criminal crypto, reminding bad actors that crime doesn't pay—but it does chill.North Korea's Lazarus Group stole $235M in crypto, reminding us that even your custodial wallet isn't safe from global espionage.Let's Hustle.  Let's hustle hard. Find the transcript to this podcast here.

Tech & Security Weekly FAQ: January 7th, 2025 1. Why is Apple paying $95 million in a lawsuit about Siri? Apple is settling a lawsuit alleging Siri "unintentionally" recorded private conversations without user consent. The lawsuit claimed these recordings were shared with third parties and used for targeted advertising. While denying wrongdoing, Apple will compensate affected users up to $20 per Siri-enabled device purchased between September 2014 and December 2024 and delete recordings obtained before October 2019. 2. What happened to MyGiftCardSupply's customer data? MyGiftCardSupply, an online gift card store, exposed hundreds of thousands of customers' identity documents due to a publicly accessible storage server with no password protection. This server contained sensitive information like driver licenses, passports, and selfies taken for KYC compliance, putting customers at risk of identity theft. 3. Are Chrome extensions safe to use? Hackers are increasingly targeting Chrome extensions, including popular VPNs and AI tools, by injecting malicious code through updates. This can compromise user data and accounts. Users are advised to carefully review extension permissions, only install extensions from trusted sources, and be cautious of unexpected updates. 4. Is Windows 10 still relevant despite the release of Windows 11? Despite Microsoft's promotion of Windows 11, Windows 10 remains the dominant desktop OS, holding a 62.7% market share. This is partly due to user reluctance to upgrade and a significant increase in Windows 10 installations in the US. However, support for many Windows 10 versions ends in October 2025, pushing users towards either extended security updates or potential vulnerabilities. 5. Why is outdated firmware a concern for medical devices? The Illumina iSeq 100 DNA sequencer and other medical devices use outdated firmware, leaving them vulnerable to malware attacks. Without security features like Secure Boot, malicious code can hide in the firmware, compromising device integrity and potentially patient safety. This highlights the need for manufacturers to prioritize firmware updates and security protocols in medical equipment. 6. How are Chinese hackers evolving their tactics? Chinese hackers, allegedly linked to the military and intelligence, have shifted from corporate espionage to targeting critical US infrastructure, including water utilities, airports, and energy grids. This suggests preparation for potential geopolitical conflicts, particularly concerning Taiwan, aiming to disrupt US response capabilities. The sophistication and potential impact of these attacks raise serious concerns about escalating cyber-warfare between the two countries. 7. Why are New Yorkers saying goodbye to the R46 subway cars? New York City is retiring its iconic R46 subway cars, known for their unique seating arrangement and nostalgic charm. These trains are being replaced by the modern R211 cars, featuring brighter lighting, enhanced accessibility, and longitudinal seating to optimize passenger flow. While some lament the loss of a cultural symbol, the upgrade promises a more efficient and modern transit experience. 8. What does Meta's decision to end fact-checking mean for Facebook and Instagram users? Meta, the parent company of Facebook and Instagram, is ending its fact-checking program and loosening content moderation policies. Zuckerberg claims this aims to promote free speech, but critics argue it will lead to a surge in misinformation and harmful content. This shift raises concerns about the platforms' role in shaping online discourse and their potential impact on political and social issues.

Episode  224 Loose Lips Sink Ships.  The IT Privacy and Security Weekly Update for the Week Ending January 7th 2025. 1/7/2025 0 Comments ​Episode  224- click the pic to hear the podcast - In this week's update:  Siri couldn't keep her ear shut, and then her loose lips cost Apple $95M as they learned the lesson: "Privacy isn't optional."Nothing says 'secure' like a password-free server holding 600,000 IDs, turning this gift card gaffe into MyGiftCardSupply's latest disaster.Hackers taught Chrome extensions a new trick, making Chrome chaos all about stealing your data, now enhanced with AI flair.Windows 10 users are hanging on tighter than your grandma's grip on her landline, epitomizing Windows woes as the OS refuses to fade.When your DNA sequencer runs firmware older than your Spotify playlist, this medical equipment drama becomes more science fiction than science.Chinese hackers aren't just stealing blueprints—they're blueprinting the future of cyberwarfare, potentially marking cyber as the next battleground.Be kind to New Yorkers this week, they lose their 50 year old R46 subway cars, where love-seats met New York grit, and gain a congestion charge that is hitting them like a new variant of Covid.Zuck says goodbye to fact-checking, ensuring Meta leaves the internet or at least their portion of it, bracing for chaos (again).Siri can't hear us if we keep moving.  Let's go! Find the full transcript for this podcast here.

IT Privacy and Security Weekly Update FAQ - December 31st, 2024 1. Why isn't Apple building its own search engine? Apple has stated that developing a search engine is "outside of its core expertise" and would require substantial investment and resources. The company also cites the rapidly evolving field of AI as a deterrent, making such a venture "economically risky." Apple currently receives a significant revenue stream from Google for being the default search engine on Apple devices, making the development of their own search engine less appealing. 2. What's the story behind Raspberry Pi's recent surge in value? Raspberry Pi, the maker of affordable single-board computers, saw its valuation exceed $1 billion in December 2024, driven primarily by increased demand in the U.S. market. The company's success is attributed to the versatility and low cost of its computers, which are popular among hobbyists, educators, and professionals. This accessibility has broadened the reach of computing and fueled Raspberry Pi's impressive growth. 3. How did Chinese hackers breach the U.S. Treasury Department? Chinese state-sponsored hackers exploited a vulnerability in a third-party cybersecurity service provider used by the U.S. Treasury Department. By compromising this provider, the hackers gained access to a security key that allowed them to remotely access employee workstations and steal unclassified documents. This incident highlights the increasing sophistication of cyberattacks and the risks associated with reliance on third-party services. 4. Why are missiles now the biggest threat to airline passengers? Accidental missile strikes on commercial aircraft have become the leading cause of aviation deaths in recent years, surpassing terrorism and other threats. This alarming trend is driven by rising global tensions and the increasing availability of advanced antiaircraft weaponry, making civilian flights in or near conflict zones particularly vulnerable. Despite overall advancements in aviation safety, these incidents highlight the unintended consequences of armed conflict on civilian air travel. 5. Why are so many senior citizens struggling with student loan debt? A growing number of older Americans are facing a substantial student loan burden, with collective debt reaching $121 billion. Many seniors took out loans later in life for their own education or to support their children's studies. This debt burden presents a significant financial strain, particularly for those on fixed incomes or facing limited job opportunities in retirement. 6. What happened with the VW data leak, and what does it mean for EV owners? Volkswagen Group suffered a major data breach that exposed the sensitive information of 800,000 electric vehicle owners, including GPS location data, battery statuses, and user habits. The data was left unsecured on Amazon's cloud for several months, potentially allowing tech-savvy individuals to link vehicles to owners' personal information. This incident emphasizes the importance of robust data security measures as vehicles become increasingly connected and reliant on data sharing. 7. How is Maine's Mountain View Correctional Facility using remote work to help inmates? Mountain View Correctional Facility in Maine is offering inmates remote work opportunities with private companies. This program aims to equip inmates with valuable skills and experience, improving their chances of securing employment upon release. Inmates earn competitive wages while working remotely, contributing to restitution, room and board, and developing financial responsibility. 8. What can we learn from these recent events in IT privacy and security? These events underscore the evolving landscape of digital security and privacy. From state-sponsored hacking to data leaks and the increasing vulnerability of air travel, individuals and organizations must remain vigilant and proactive in safeguarding their information and systems.

EP 223 For this update, a completely diverse collection of stories starting with Apple dodging the search engine game by insisting that search ads are not Apple's "core" expertise.Then another serving of fruit and Raspberry Pi's billion-dollar boom proving that tiny computers with huge valuations says you don't need size to make a big impact.Chinese hackers demonstrate that it makes "cents" to have the US Treasury's data on their holiday gift list.And then for your next security conference, forget peanuts on your flight, now you have to worry about missiles landing on your snack tray.Seniors swim in student loan debt while Grandma knits scarves—and tries to figure out how to pay off her 50 year old university degree.VW's massive EV data leak reveals that your car is smarter than ever and so are the hackers.Then, it's not only the North Koreans who can play at this game, Maine prisoners go remote, landing virtual gigs as legit IT staffers.This is a wild update, so let's use it to break out  of 2024 and into 2025! Find the full transcript to this podcast here.

We go deep into this week's topics and break into the stories covered. What's happening with bot detection these days? Traditional CAPTCHAs are becoming ineffective as bots are now able to solve them easily. This has led to developers exploring alternative methods like behavior analysis and biometrics, but these come with their own privacy and accessibility concerns. The rise of AI agents further complicates things, requiring platforms to distinguish between helpful and harmful bots. Are car companies being hypocritical about data privacy? Yes, senators are calling out automakers for opposing "right-to-repair" laws while simultaneously selling customer data. They argue that automakers' cybersecurity concerns are a smokescreen for maintaining control over repair profits, as there's no evidence independent shops mishandle data more than dealerships. This raises questions about consumer rights concerning vehicle repairs and data privacy. What's the problem with digital license plates? A security researcher has demonstrated that digital license plates can be hacked to display false information, enabling users to evade tolls and tickets or even incriminate others. The vulnerability lies in the hardware and requires replacing the plate's chip to fix it, making it a costly solution. While digital plates offer convenient features, their security flaws present a significant risk. How is a GPS tracking company ironically exposing customer data? Hapn, a company specializing in GPS tracking, ironically exposed customer names, email addresses, and device serial numbers due to a misconfigured server. This incident highlights the importance of robust cybersecurity measures, especially for companies handling sensitive location data. It serves as a reminder to research a company's security practices before entrusting them with your data. Is there a privacy-focused alternative to Alexa or Google Assistant? Yes, Home Assistant has launched Voice PE, a voice-controlled device that operates entirely offline, ensuring user privacy. It supports multiple languages, offers customizable wake words, and can integrate with AI models like ChatGPT. While still in development, it offers a promising alternative for those seeking a local, privacy-centric smart home voice control system. What is Apple doing about spyware attacks on its users? Apple is directing victims of spyware attacks to a nonprofit security lab for assistance. This lab specializes in cybersecurity and provides resources to help victims understand and address spyware threats. This partnership highlights Apple's commitment to user security and privacy and emphasizes the importance of community efforts in tackling cybersecurity challenges. Why is Australia changing its cryptography standards? Australia is proactively phasing out certain cryptographic algorithms by 2030 to mitigate the threat of future quantum computing attacks. These algorithms, currently widely used, are expected to become vulnerable as quantum computing technology advances. What are the latest concerns about SMS-based authentication? Federal agencies are warning against using SMS for two-factor authentication due to its vulnerability to interception and phishing attacks. SMS messages are unencrypted, making them susceptible to compromise. Opt for more secure alternatives, like authenticator apps or passkeys, whenever available, to enhance their online security. Are there security concerns with global telecommunications networks? The Department of Homeland Security has revealed that countries like China, Russia, Iran, and Israel are exploiting weaknesses in the SS7 protocol, which connects global telecom systems, to spy on Americans. Users are encouraged to consider using encrypted communication apps and limiting location tracking to minimize their exposure to such surveillance.

Episode 222  For our first story Bot Detection Is No Longer Working.  CAPTCHAs are now a reverse IQ test—humans fail while bots ace them effortlessly.Then senators rip into the automakers: Car makers sell your data but won't let you fix your car—talk about a two-for-one insult.Fancy digital plates? Cool until someone hacks them to dodge tolls—or make you pay theirs.A GPS tracker company left customer data exposed, which is a little ironic for a business built on knowing your every move.Then a new smart assistant that won't gossip about you to the cloud. It's still got some rough edges, but we'll take rough over exposed.Apple's sending spyware victims to a nonprofit because even their genius bar needs backup sometimes.Australia's future-proofing by ditching old cryptography—quantum hackers, this puts them way ahead of the elliptic curve!From there it's another day, another healthcare hack.  This time it's 5.6 million patients learning about their healthcare provider's poor data hygiene the hard way.Still using SMS for 2FA? The feds say it's a lot like locking your door but leaving the key under the mat.The US Department of Homeland Security says global spies are routinely using old and completely insecure SS7 telecom flaws.  Maybe you want to rethink that unencrypted text you just sent.We filled your stockings with this weeks update, and the best part?  Not a single piece of coal in sight!  Let's get unwrapping! Find the full transcript to this podcast here.

FAQ: IT Privacy and Security Weekly Update (Week Ending December 17th, 2024) 1. What is the main takeaway from the recent US Telecom breach? The breach linked to Chinese hackers highlights the dangers of government backdoors in encryption systems. The 1994 CALEA law, intended to assist law enforcement, created vulnerabilities exploited in this incident. Experts emphasize that backdoors weaken security for everyone and make systems susceptible to both good and bad actors. 2. What security concerns arose with UnitedHealthcare's Optum AI chatbot? Optum's AI chatbot, used internally for managing health insurance claims, was left publicly accessible without a password. Although it didn't contain sensitive health data, its exposure raises concerns about the responsible management of AI, particularly given UnitedHealthcare's alleged use of AI to deny patient claims. 3. Despite improvements, why should users still be cautious with Microsoft's Recall feature? While Microsoft's Recall screen capture tool now includes encryption and sensitive information filtering, tests reveal inconsistencies in its performance. It struggles to identify private data in non-standard formats or situations, potentially leading to unintended exposure of sensitive details. 4. What is the significance of Meta's recent €251 million fine by the EU? The fine stems from a 2018 security breach exposing data of millions of EU users. It underscores the EU's strong enforcement of the GDPR and emphasizes the importance of companies prioritizing data protection. For users, it serves as a reminder that their personal information may not always be secure. 5. How is the US-China trade conflict impacting the Ukraine war effort? China is limiting sales of drone components critical to Ukraine's defense as part of the escalating trade conflict with the US. This move is expected to expand to broader export restrictions, hindering Ukraine's access to vital drone technology. 6. Why is the EU investing in its own satellite constellation, IRIS²? The EU aims to reduce reliance on non-European networks like Starlink by developing IRIS². This sovereign satellite constellation will provide secure internet access across Europe, enhancing strategic autonomy and fostering public-private collaboration in the space sector. 7. What benefits will Let's Encrypt's new six-day certificates offer? The shift to shorter certificate lifespans significantly reduces security risks associated with compromised keys. While this means issuing more certificates, Let's Encrypt's automated systems will ensure a smooth transition for users, resulting in a safer and more secure internet experience. 8. How is United Airlines using Apple technology to improve its baggage handling? United Airlines is integrating Apple's "Share Item Location" feature into its mobile app. Passengers can now share real-time locations of AirTags attached to their luggage, enabling United's customer service team to track and retrieve misplaced baggage more efficiently.

Episode 221 Our first update has an important security lesson, "When you build a backdoor, don't be surprised when everyone comes walking through it."Then a very topical subject when an insurance chatbot is exposed... now you can experience the chatbot denying your claims in real time!Microsoft's Recall feature: capturing sensitive info, even when it promises it won't—because AI still struggles with “Oops.”Then Meta seems to be collecting fines as efficiently as it collects your data.China to Ukraine: “No drones for you!”—because trade wars come with flying consequences.Europe builds its own Starlink—because relying on Musk for internet isn't a good long-term plan.And now, Six-day certificates! "Keeping secrets for 90 days is so last year."Lastly, for the holidays:  United Airlines teams up with (Apples) AirTags—because you can't lose what you can track.Let's go rattle some doors! For the full transcript to this podcast click here.

IT Privacy and Security FAQ - Week Ending December 10th, 2024 1. What happened to Stoli, and how can I protect my business from the same fate? A ransomware attack crippled Stoli Group's IT systems, leading to bankruptcy for its US and Kentucky Owl subsidiaries. The attack highlighted the importance of robust cybersecurity measures. To safeguard your business, prioritize secure IT systems, keep software updated, maintain regular backups, and educate employees about phishing and malware threats. 2. Is my phone call safe? What's this about a Chinese hacking campaign? A Chinese cyber-espionage campaign, Salt Typhoon, targeted telecom networks in at least two dozen countries, including major US carriers. The attackers stole metadata to identify high-value targets and intercept communications. While classified information wasn't compromised, this emphasizes the need for vigilance. Limit sharing sensitive information over calls or texts, and consider end-to-end encryption tools for added security. 3. What is the FCC doing about telecom cybersecurity? The FCC is proposing mandatory cybersecurity risk management plans for telecom companies and will enforce them with potential fines or criminal penalties. This follows concerns over persistent security lapses and aims to prevent breaches like the recent Chinese hacking campaign. 4. I use Google Messages. Is it truly end-to-end encrypted? Google Messages' claims of "end-to-end encryption" are misleading. While RCS chats within Google Messages can be encrypted, SMS messages and those sent to non-Google users are not. Always verify encryption details and don't rely on vague claims to protect your privacy. 5. What is Sauron, and should I be concerned about its home security approach? Sauron is a startup offering high-tech home security using drones, cameras, facial recognition, and 24/7 monitoring. While appealing for its advanced features, the company's use of facial recognition and potential for aggressive countermeasures raises privacy concerns. Weigh these factors carefully when considering such systems for your home. 6. Is Solana safe? What happened with the code library attack? A supply chain attack compromised Solana's JavaScript SDK, leading to the theft of $184,000 from digital wallets. While the malicious code was quickly removed, it highlights the risks of open-source libraries. Developers and users should prioritize upgrading libraries, rotating keys, and staying informed about security updates from reliable sources like CoinDesk and The Block. 7. Can I now use my cellphone anywhere with SpaceX's Starlink? SpaceX launched new satellites enabling direct cellphone connectivity through Starlink. While initially limited to text messaging, the service will eventually support voice, data, and IoT devices. This promises global coverage even in remote areas. However, pricing details and encryption information remain unclear. Stay tuned for updates and explore how this service could benefit you. 8. What's the main takeaway from this week's IT security news? This week's news emphasizes the growing cybersecurity threats across various domains, from ransomware attacks to sophisticated state-sponsored espionage and supply chain vulnerabilities. Staying informed, adopting proactive security measures, and carefully evaluating new technologies are crucial steps in protecting yourself and your data.

Episode 220 This week we solve a mystery that has may have more impact this holiday season than you could imagine, and what you can do to stop the same thing happening to you.A Chinese hacking campaign targets telecoms globally, proving that no phone call is truly safe.The FCC takes a hard stance on telecom cybersecurity, warning companies: fix those flaws or face hefty penalties.Google's "end-to-end encryption" turns out to be more like "end-to-what?" as tech bloggers expose misleading claims.A startup takes home security to new extremes with drones, facial recognition, and a little bit of paranoia.A backdoor in a popular Solana library drains wallets, leaving a $184,000 hole and crypto developers scrambling to upgrade.SpaceX's new satellite network aims to keep your phone connected, even when you're way off the grid—though texting is the only thing that's fast for now.We have the world of IT Privacy and Security covered from Stoli to SpaceX.  Let's jet. Find the full transcript here.

Deep dive into The IT Privacy and Security Weekly Update moves into Low Earth Orbit for the Week Ending December 3rd., 2024: Your FAQs Answered 1. What is the FTC doing to protect my location data? The FTC has taken action against companies like Gravy Analytics and Venntel selling sensitive location data without user consent. This data, often gathered from smartphones, was being used for surveillance purposes, including by law enforcement agencies. The FTC has banned these companies from selling this data, except in limited circumstances related to national security or law enforcement. 2. How can I ensure software updates support my smart devices? Unfortunately, a recent FTC study found that nearly 9 of 10 smart device makers don't disclose how long they will provide software updates. This means your devices could become obsolete and vulnerable to security risks sooner than you expect. Before purchasing a smart device, check the manufacturer's website for clear information about software update policies. 3. What are the biggest cybersecurity threats facing the UK? According to the UK's new cyber chief, the country is significantly underestimating the risks posed by cyberattacks. The frequency, sophistication, and intensity of hostile activity in UK cyberspace has increased. Despite growing threats from Russia and China, there's a lack of awareness about the severity of the risks. 4. Why are U.S. Senators concerned about facial recognition technology at airports? A bipartisan group of Senators has called for an investigation into the TSA's use of facial recognition technology at airports. They cite concerns about privacy violations, lack of transparency, and potential for misuse. There are also questions about the technology's effectiveness in reducing delays and improving security. 5. How is Australia protecting children from the potential harms of social media? Australia has become the first country to ban children under 16 from using social media platforms. This landmark law aims to protect young people's mental health and well-being by limiting their access to platforms like TikTok, Instagram, and Facebook. Social media companies face hefty fines if they fail to comply. 6. What is the significance of the overturned sanctions on Tornado Cash? A U.S. appeals court overturned sanctions on Tornado Cash, a cryptocurrency privacy tool. The court ruled that smart contracts, which power Tornado Cash, aren't considered property under U.S. law, and therefore the Treasury Department overstepped its authority. This decision is a significant win for privacy advocates in the crypto industry and highlights the ongoing debate over how governments regulate privacy-focused technologies. 7. Why is global cooperation essential for managing space traffic? Low Earth orbit is becoming increasingly crowded with satellites and debris, posing risks of collisions and rendering space unusable. Experts are urging global cooperation to create a shared database for tracking objects and developing international rules to manage space traffic. However, geopolitical tensions and corporate secrecy make this cooperation difficult. 8. How are cybersecurity threats impacting spacecraft and satellites? As space exploration expands, so do the cybersecurity risks. Hackers are becoming more sophisticated, targeting spacecraft and satellites with potentially catastrophic consequences. These attacks could disrupt navigation, communications, and even defense systems. The increasing use of artificial intelligence (AI) in space adds further vulnerabilities. Protecting space assets from cyber threats is now a critical priority for governments and space agencies worldwide. Stay safe, stay secure and stay with us!

EP219 For this update, yes we are up again.  We start off on terra firma, but we definitely end up in the clouds.A double whammy from the FTC who just put the brakes on companies selling your location data—because privacy should come first, (even if you're just visiting a coffee shop.) and then suddenly notices that your smart devices might not be as 'smart' as you thought—especially when it comes to knowing how long they'll get updates.The UK's cybersecurity chief warns: we're underestimating the cyber threats, and warns the UK citizenry it's time to brace for a bigger digital storm.Facial recognition at airports: convenient or a privacy nightmare? It's spreading across the US like wildfire so senators are calling for a closer look before it becomes mandatory.Australia just became the first country to ban kids under 16 from social media—marking... a huge step towards giving kids their childhoods back again.A crypto privacy win! Tornado Cash sanctions get overturned, sparking debate on how the government should regulate tech.Then up we go, with Earth's orbit getting crowded, experts are calling for global cooperation to prevent space from becoming the next traffic jam (or junk yard).Space might be the final frontier, but hackers are already eyeing it—leading experts to warn of rising cybersecurity risks for satellites and spacecraft.Come on, let's chase the horizon! Find the full transcript of this podcast here.

FAQ: 1. What measures are US senators proposing to enhance cybersecurity in healthcare? A bipartisan group of US senators has introduced the Health Care Cybersecurity and Resiliency Act of 2024. This act mandates healthcare organizations adopt basic cybersecurity standards like multi-factor authentication (MFA), improved coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA), and a more transparent breach reporting process, including details about the number of individuals affected and corrective actions taken. 2. What is Australia doing to combat the rise of ransomware attacks? Australia has enacted its first Cyber Security Act, requiring organizations exceeding a certain size (likely those with a turnover above AUD $3 million) to report any ransomware payments made to cybercriminals. The act also establishes a framework for the voluntary reporting of cyber incidents to encourage information sharing and enhance collective cybersecurity. 3. What is the extent of the alleged Chinese hacking of US telecom infrastructure? Reports suggest that Chinese government-backed hackers, known as Salt Typhoon, have infiltrated US telecommunications networks, potentially gaining access to phone calls and text messages. This breach reportedly exploited vulnerabilities in the system used by US authorities for lawful wiretaps. The incident, labeled as potentially the "worst telecom hack in our nation's history", raises serious concerns about national security and data privacy. 4. What advice is the Japanese government giving its citizens regarding their digital legacies? The Japanese National Consumer Affairs Center recommends that citizens engage in "digital end-of-life planning" to prevent difficulties in managing their online accounts after their death. They advise ensuring family members can access their devices, maintaining a list of subscriptions and login credentials, possibly including this information in end-of-life documents, and considering services that allow designated individuals to manage accounts posthumously. 5. What privacy concerns have arisen with Microsoft's Copilot tool? Microsoft's Copilot, designed to streamline tasks by accessing internal company information, has inadvertently exposed sensitive data, including CEO emails and HR documents. This occurred due to lax permission settings in some companies, allowing Copilot to access and retrieve documents beyond intended access levels. 6. How is Microsoft enhancing Windows security following the CrowdStrike incident? In response to the CrowdStrike incident that impacted millions of Windows devices, Microsoft is introducing the Windows Resiliency Initiative. This initiative includes Quick Machine Recovery, enabling remote repair of unbootable systems, stricter testing and deployment protocols for security vendors, and a framework to move antivirus processing outside the Windows kernel for improved security and stability. 7. What was the outcome of Interpol's Operation Serengeti in Africa? Interpol's Operation Serengeti, conducted in collaboration with Afripol, resulted in the arrest of over 1,000 suspects across 19 African countries. The operation targeted cybercriminals involved in activities like ransomware, business email compromise, digital extortion, and online scams. Notably, the operation dismantled networks involved in credit card fraud, Ponzi schemes, human trafficking, illegal gambling, and cryptocurrency scams. 8. Why are undersea data cables becoming an increasing security concern? Undersea fiber-optic cables, responsible for transmitting vast amounts of global internet traffic, are increasingly vulnerable to damage and sabotage. Recent incidents, such as damage to cables in the Baltic Sea suspected to be linked to a Chinese cargo vessel, highlight these risks.

Episode 218   For this Update we start with an attempt to stop a spoiler and end with quite a few ways to slice a Pi.In the US a few senators have gotten together a tablet of requirements they'd like to see healthcare organizations swallow in the US.Australia, moves forward with a reporting requirement for all firms paying ransomware demands.China is back in the news in the backdoor of all the US mobile phone providers.  The big issue this week?  Finding them and kicking them out!Japan has a very pragmatic suggestion if you are prone to jumping off mountains in a squirrel suit.  Microsoft's Copilot reveals a side of it's extreme cleverness that could get the CEO fired, and then they announce new rollouts that will hopefully prevent another Crowdstrike debacle.Interpol busts the Nigerian prince that you sent that money to so he could wire you a million.With online television and content providers growing in popularity plenty have cut their cable, however they too could be compromised if the popularity of this particular cable cutting continues to grow.This week we cut headcount, cables and Pi.  Come on, let's go serve it up! Find the full transcript of this podcast here.

Privacy & Security FAQ: Week Ending November 19th, 20241. What happened with T-Mobile and Chinese hackers? Chinese hackers, suspected of ties to Chinese intelligence, infiltrated T-Mobile as part of a larger cyberespionage operation. This attack targeted telecom companies to gather intelligence on high-value targets. While T-Mobile claims no significant impact on their systems or customer data, the breach raises concerns about the security of telecommunications networks and the potential for surveillance. Google is rolling out an AI-powered scam call detection feature for Android phones, starting with Pixel 6 and newer models. This feature analyzes real-time conversation patterns to detect potential scams and alerts users through audio, haptic, and visual warnings. The system operates entirely on the device, ensuring privacy by not storing or transmitting call data externally. India's competition watchdog fined Meta $25.4 million and ordered WhatsApp to stop sharing user data with other Meta units for advertising for five years. This action stems from WhatsApp's 2021 privacy policy update, which mandated data sharing with Meta companies without an opt-out option. The watchdog deemed this practice as an abuse of Meta's dominant position and coercive towards users. Legal documents from a US lawsuit between NSO Group and WhatsApp revealed that NSO Group, not their government clients, directly install and extract information from phones targeted by their Pegasus spyware. This contradicts NSO's claims that clients solely operate the spyware. The revelation raises concerns about the control and accountability of NSO Group's powerful surveillance technology. ChatGPT's desktop app for macOS can now read code from developer-focused apps like VS Code, Xcode, and TextEdit. This integration allows developers to directly send code snippets to ChatGPT for analysis and assistance without manual copy-pasting. While it currently lacks the ability to write code directly into apps, this feature marks a step towards streamlined AI assistance in coding workflows. DeFlock is an open-source project utilizing Open Street Map to map the locations of automated license plate readers (ALPRs) worldwide. Concerned about the proliferation of these surveillance devices, the project encourages crowdsourced reporting of ALPR locations, including details like camera direction. You can contribute to this initiative by reporting ALPRs in your area on the DeFlock website: https://deflock.me/report. Internal emails revealed that the US Secret Service debated the need for warrants when using location data from smartphone apps. Some officials argued that users' acceptance of app terms of service implied consent for data sharing, even if those terms didn't explicitly mention sharing with law enforcement. This raised concerns about government agencies accessing private location data without proper legal authorization. How can you enhance your privacy and security? For secure communication: Consider using encrypted messaging apps like Signal or Session. Protect against phone fraud: Be wary of suspicious calls and consider enabling Google's AI-powered scam call detection. Control data sharing: Scrutinize app permissions and privacy policies before granting access to personal information. Support privacy initiatives: Contribute to projects like DeFlock and advocate for stronger data protection laws. Stay informed: Follow reputable sources for news on privacy and security issues to make informed decisions about your digital life.

EPISODE 217  If you drive a car you'll want to listen out for the sixth story in our update this week.  We tell you how you can even join in the fun!On the day after 45 people were sentenced to prison by the Chinese authorities for pro-democracy activities in Hong Kong we get confirmation that the Chinese have broken into T-Mobile.Google gives a gift that could stop phone fraud in its tracks, but only if you have a Pixel 6 or later phone.India slaps Meta for coercive activities related to customer data sharing.Then Meta slaps NSO group for lying about who controls their phone spyware.ChatGPT can now read from some of the more popular coding applications on Apple Macs taking AI a further step closer to helping engineers where they work.One man decides to create a project map all the Flock brand automated license plate readers near his home and finds out that people all over the world want to add their own readers, creating a global initiative.And finally an example of invited by inference.  And why "You gave it to the app. so you gave it to us" actually is not right at all.Let's put it on a map. Find the full transcript to this podcast here.

The team discusses the week's IT Privacy and Security Update and offers a different perspective. Enjoy!

Episode 216 In this week's update we move from alarming outfits to stormy data sharing.We start with retailers are eyeing thread-thin tech to tackle shoplifting and then move to Cyber-criminals stealing private data by pretending to be the police.Then that iPhone the police took off you when your paid for shirt set off the alarm... well suddenly rebooted. Then Apple again dreams up a plan that could make lost luggage a thing of the past.From there, an update from the Feds as they suggest staff be as brief as possible on your next phone call.Next one library has lending rights withdrawn and we wait for the echo effect as it hits other libraries making books available online.And finally IBM takes a hit as they are again dragged to court over the Weather Channel's data sharing.We always have the latest, freshest, IT privacy, and security updates for you.  Come on!  Let's set off some alarms! Find the full transcript for this podcast here.

For Episode two one five and a half our couple does a deep dive into this week's topics. Enjoy!

Episode 215  On U.S. election day, this is the update that will tear you away from the endless all night results shows.Schneider Electric gets hacked, and the cyber thief is demanding $125,000 in something peculiar – a data breach with a French twist!Scientists have discovered that plants “see” light by bending it through tiny air gaps – proving they don't need eyes to point to something bright.Opting out of Facial recognition site PimEyes means giving them more photos... and left us feeling conflicted.Google's AI Big Sleep found a bug in SQLite, so now we have AI debugging AI – what could possibly go wrong?Meta's AI models just got the green light for military use, because nothing says “peace” like open-source warfare tech.The 26-year-old founder of Gotbit just got indicted for market manipulation – because apparently fake crypto trading volume isn't cool with the feds.A new report reveals that millions of American phones might be susceptible to Chinese surveillance could it be time to switch to encrypted apps or start using carrier pigeons?Sit back, relax, and join in for the best update yet! Find the full transcript to this podcast here.

Episode 214.5 This deep-dive session takes a more conversational look into the topics covered in Tuesday's update. More to enjoy!